Lucene search
K

9086 matches found

Nuclei
Nuclei
added yesterday58 views

Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution

The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

7.3CVSS7.3AI score0.01888EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday20 views

WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution

The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

7.3CVSS6.4AI score0.01411EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday16 views

ShortCode Addons - Unauthenticated Options Update

WordPress plugin Shortcode Addons = 3.0.2 contains an unauthenticated arbitrary option update caused by insufficient access controls in the plugin, letting attackers modify options without authentication. id: CVE-2022-34487 info: name: ShortCode Addons - Unauthenticated Options Update author:...

9.8CVSS6.3AI score0.02654EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday44 views

SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue id: CVE-2021-24878 info: name: SupportCandy 2.2.7 - Reflected Cross-Site...

6.1CVSS6.4AI score0.01165EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday24 views

Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to supply arbitrary shortcodes in the contentrechdata parameter that is then executed. This makes it possible for...

9.8CVSS7.3AI score0.01852EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday48 views

WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution

The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wpajaxnoprivshortcodeApiAdd AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that...

9.8CVSS6.4AI score0.51316EPSS
Exploits1References3
NVD
NVD
added 3 days ago7 views

CVE-2026-1382

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00193EPSS
Exploits0References4
NVD
NVD
added 3 days ago8 views

CVE-2025-6784

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated...

8.8CVSS0.00483EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-43154

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References4
CVE
CVE
added 3 days ago14 views

CVE-2026-1382

The CVE-2026-1382 entry covers the WordPress plugin “fresh Podcaster” up to version 1.0.7. The vulnerability is a Stored Cross-Site Scripting (stored XSS) flaw in the freshpodcaster shortcode attributes, caused by insufficient input sanitization and output escaping on user-supplied data. Impact i...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago8 views

EUVD-2025-210455

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated...

8.8CVSS6.3AI score0.00483EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-13116

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generatedocumentshortcode due to missing validation on a user controlled key. This makes it possible for authenticated...

4.3CVSS0.00223EPSS
Exploits0References8
NVD
NVD
added 3 days ago7 views

CVE-2025-13968

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the starboard-suite-lightbox shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS0.00201EPSS
Exploits0References6
EUVD
EUVD
added 3 days ago4 views

EUVD-2025-210454

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the starboard-suite-lightbox shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References6
CVE
CVE
added 3 days ago8 views

CVE-2025-13968

The CVE concerns the WordPress plug-in Starboard Suite Reservation Calendars (WordPress). It is vulnerable to Stored Cross-Site Scripting via the [starboard-suite-lightbox] shortcode attributes in all versions up to and including 3.1.4 due to insufficient input sanitization and output escaping. T...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-13116 PDF Invoices & Packing Slips for WooCommerce <= 5.14.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via 'order_id' Shortcode Attribute

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generatedocumentshortcode due to missing validation on a user controlled key. This makes it possible for authenticated...

4.3CVSS0.00223EPSS
Exploits0References8
CVE
CVE
added 3 days ago10 views

CVE-2026-13116

CVE-2026-13116 affects the PDF Invoices & Packing Slips for WooCommerce plugin (WordPress) ≤ 5.14.0. Issue: Insecure Direct Object Reference via generate_document_shortcode caused by missing validation on a user-controlled key. Consequence: authenticated attackers with contributor+ access can min...

4.3CVSS6.1AI score0.00223EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-57386

Name of the Vulnerable Software and Affected Versions Starboard Suite Reservation Calendars versions prior to 3.1.5 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping within the starboard-suite-lightbox shortcode attributes. Authenticated...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-57388

Name of the Vulnerable Software and Affected Versions PDF Invoices & Packing Slips for WooCommerce versions prior to 5.14.1 Description An Insecure Direct Object Reference IDOR exists in the generate document shortcode function due to missing validation on a user-controlled key. Authenticated...

4.3CVSS6.1AI score0.00223EPSS
Exploits0References11
NVD
NVD
added 4 days ago7 views

CVE-2026-13010

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS0.00254EPSS
Exploits0References4
Rows per page
Query Builder