CVE-2024-13361

CVE-2024-13361 involves the WordPress plugin “AI Power: Complete AI Pack.” The vulnerability arises from a missing capability check in wpaicg_save_image_media across versions up to 1.8.96, enabling authenticated attackers with Subscriber+ access to upload image files and embed shortcode attribute...

CVE-2024-13590

The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2025-2223 · WordPress · The Picture Gallery – Frontend Image Uploads

Name of the Vulnerable Software and Affected Versions: Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress versions up to, and including, 1.5.19 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'videowhisper pictures' shortcode due to...

WordPress plugin GamiPress 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin...

WordPress plugin Simple shortcode buttons 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in...

PT-2025-2225 · WordPress · Ketchup Shortcodes

Name of the Vulnerable Software and Affected Versions: Ketchup Shortcodes plugin for WordPress versions up to, and including, 0.1.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-2189 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress versions up to, and including, 7.2.1 Description: The issue arises due to the software allowing users to execute an action that does not properly...

PT-2025-1864 · WordPress · Avada Builder

Name of the Vulnerable Software and Affected Versions: Avada Builder plugin for WordPress versions up to, and including, 3.11.11 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcodes. This allows authenticated...

WordPress GamiPress plugin <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function vulnerability

Unauthenticated Arbitrary Shortcode Execution via gamipressajaxgetlogs Function vulnerability discovered by mikemyers in WordPress Plugin GamiPress versions = 7.2.1...

WordPress AI Power: Complete AI Pack plugin <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution vulnerability discovered by mikemyers in WordPress Plugin GPT3 AI Content Writer versions = 1.8.96...

CVE-2025-22267

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpweaver Weaver Themes Shortcode Compatibility weaver-themes-shortcode-compatibility allows Stored XSS.This issue affects Weaver Themes Shortcode Compatibility: from n/a through = 1.0.4...

CVE-2025-22276

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in enguerranws Related Post Shortcode related-post-shortcode allows Stored XSS.This issue affects Related Post Shortcode: from n/a through = 1.2...

CVE-2025-22267 WordPress Weaver Themes Shortcode Compatibility Plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Bruce Wampler Weaver Themes Shortcode Compatibility allows Stored XSS. This issue affects Weaver Themes Shortcode Compatibility: from n/a through 1.0.4...

CVE-2025-22276

CVE-2025-22276 is a stored XSS vulnerability in the WordPress Related Post Shortcode plugin. Affected: Related Post Shortcode (versions up to 1.2, n/a through 1.2). Root cause: improper neutralization of input during web page generation. Impact: stored cross-site scripting vulnerability with low–...

WordPress plugin Weaver Themes Shortcode Compatibility 跨站脚本漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exist...

PT-2025-2191 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress versions up to, and including, 7.2.1 Description: The issue is related to arbitrary shortcode execution via the gamipress do shortcode function. This ...

CVE-2024-9020

The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-9020

The CVE-2024-9020 entry affects the WordPress plugin List category posts, specifically versions prior to 0.90.3. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient validation/escaping of shortcode attributes, which can allow users with Contributor+ privileges to ...

CVE-2024-9020 List category posts < 0.90.3 - Author+ Stored XSS

The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-9020 List category posts < 0.90.3 - Author+ Stored XSS

The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...