228 matches found
CVE-2026-1805
CVE-2026-1805 concerns the DA Media GigList WordPress plugin. It is vulnerable to Stored Cross‑Site Scripting via the plugin’s shortcodes (damedia_giglist) in all versions up to and including 1.9.0 due to insufficient input sanitization and output escaping on user‑supplied attributes. Authenticat...
CVE-2026-1820 Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmaltscdivupdatealttext' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...
CVE-2026-2020
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...
WordPress Show YouTube video plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Show YouTube video versions = 1.1...
CVE-2026-2020 JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...
CVE-2026-2020
The WordPress JS Archive List plugin (all versions up to 6.1.7) is vulnerable to PHP Object Injection via the shortcodes’ included attribute. The vulnerability arises from deserializing untrusted input, enabling authenticated attackers with Contributor-level access or higher to inject a PHP objec...
CVE-2026-2355
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...
WordPress Secure Copy Content Protection and Content Locking plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Secure Copy Content Protection and Content Locking versions = 5.0.1...
WordPress InteractiveCalculator for WordPress plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin InteractiveCalculator for WordPress versions = 1.0.3...
CVE-2026-1903
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sbravelrydesigns' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes...
CVE-2026-1988 Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute
The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the flexipsgcarousel shortcode. This is due to the theme parameter being directly concatenated into a file path without proper sanitization ...
WordPress Best-wp-google-map plugin <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'latitude' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'latitude' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin Best-wp-google-map versions = 2.1...
CVE-2026-1885
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-1853
CVE-2026-1853 : The BuddyHolis ListSearch plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (SXSS) via the plugin’s shortcodes. In versions up to and including 1.1, insufficient input sanitization and output escaping on user-supplied attributes enables an attacker with at least ...
CVE-2026-1804 WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1804 WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...
WordPress Slideshow Wp plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Slideshow Wp versions = 1.1...
WordPress Orbisius Random Name Generator plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'btnlabel' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Orbisius Random Name Generator versions = 1.0.2...
CVE-2026-1922
CVE-2026-1922 : The Events Calendar Shortcode & Block plugin for WordPress contains a stored XSS vulnerability in the ecs-list-events shortcode, via the message attribute. It affects all versions up to 3.1.2 and arises from insufficient input sanitization and output escaping on user-supplied attr...