CVE-2024-10151

CVE-2024-10151 concerns the Auto iFrame WordPress plugin (before 2.0). It allows Stored XSS via unvalidated shortcode attributes output in posts when the shortcode is embedded. Affected users must have Contributor+ rights; impact is limited to stored XSS on pages using the shortcode. Connected Re...

CVE-2024-12030

The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'key' attribute of the 'mdfvalue' shortcode in all versions up to, and including, 1.3.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

PT-2025-1578 · WordPress · Auto Iframe

Name of the Vulnerable Software and Affected Versions: Auto iFrame WordPress plugin versions prior to 2.0 Description: The issue concerns the Auto iFrame WordPress plugin, where versions prior to 2.0 do not validate and escape some of its shortcode attributes before outputting them back in a page...

WordPress plugin Auto iFrame 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-22558

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marcus C. J. Hartmann mcjh button shortcode mcjh-button-shortcode allows Stored XSS.This issue affects mcjh button shortcode: from n/a through = 1.6.4...

CVE-2025-22555 WordPress Smoothness Slider Shortcode plugin <= v1.2.2 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Noel Jarencio. Smoothness Slider Shortcode allows Cross Site Request Forgery.This issue affects Smoothness Slider Shortcode: from n/a through v1.2.2...

CVE-2025-22555

CVE-2025-22555 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Smoothness Slider Shortcode, affecting versions up to v1.2.2. The description notes CSRF can lead to stored Cross-Site Scripting (XSS); CVSS vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base score 7.1 (HIG...

CVE-2025-22558 WordPress mcjh button shortcode plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Marcus C. J. Hartmann mcjh button shortcode mcjh-button-shortcode allows Stored XSS.This issue affects mcjh button shortcode: from n/a through = 1.6.4...

CVE-2025-22558

CVE-2025-22558 affects the WordPress plugin mcjh button shortcode . The vulnerability is described as an stored Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation, impacting the mcjh button shortcode from version n/a up to 1.6.4. The CVSS metrics in the ...

WordPress Smoothness Slider Shortcode plugin <= v1.2.2 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin Smoothness Slider Shortcode versions = v1.2.2...

WordPress mcjh button shortcode plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin mcjh button shortcode versions = 1.6.4...

CVE-2024-11826

The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quillforms-popup' shortcode in all versions up to, and including...

WordPress Tabs Shortcode plugin <= 2.0.2 - Contributor+ XSS via Shortcode vulnerability

Contributor+ XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin Tabs Shortcode versions = 2.0.2...

WordPress Toggles Shortcode and Widget plugin <= 1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Yamil in WordPress Plugin Toggles Shortcode and Widget versions = 1.14...

CVE-2024-12437 Marketplace Items <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'envato' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-12499 WP jQuery DataTable <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP jQuery DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpjdt' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-11764 Solar Wizard Lite <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Solar Wizard Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'solarwizard' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11606

The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-11606

The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-10536

The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handleblockshortcodeexport function in all versions up to, and including, 6.0.0. This...