PT-2026-1635

Name of the Vulnerable Software and Affected Versions My Album Gallery plugin for WordPress versions prior to 1.0.5 Description The My Album Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the style css shortcode attribute. Insufficient input sanitization and...

WordPress plugin My Album Gallery 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Snillrik Restaurant plugin <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'menu_style' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'menustyle' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Snillrik Restaurant versions = 2.2.1...

CVE-2025-14153

CVE-2025-14153 is a WordPress plugin vulnerability in Page Expire Popup/Redirection for WordPress. The issue is a time-based SQL Injection via the shortcod e attribute id in versions up to 1.0, caused by insufficient escaping and lack of proper query preparation. Exploitation requires authenticat...

WordPress WishSuite plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttontext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WishSuite versions = 1.5.1...

CVE-2025-13963 FX Currency Converter <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxccconvert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-13840

CVE-2025-13840 — Bukazu Search Widget (WordPress) Vulnerability: Stored XSS via the shortcodes attribute of bukazu_search. Exploitation requires authentication at Contributor level or higher. Impact: injected scripts execute when users load the affected page. Affected versions: all versions up to...

CVE-2025-13840 BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute

The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazusearch' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-13969 Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute

The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the reviews-slider shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

WordPress VigLink SpotLight By ShortCode plugin <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'float' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin VigLink SpotLight By ShortCode versions = 1.0.a...

WordPress BUKAZU Search widget plugin <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin BUKAZU Search widget versions = 3.3.2...

WordPress Paypal Payment Shortcode plugin <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttomimage' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Paypal Payment Shortcode versions = 1.01...

WordPress LJUsers plugin <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin LJUsers versions = 1.2.0...

CVE-2025-13656

CVE-2025-13656 (Cute News Ticker, WordPress) is a stored cross-site scripting vulnerability in the Cute News Ticker plugin (WordPress) affecting versions up to 1.0. It stems from insufficient input sanitization and output escaping of the color shortcode attribute, allowing an authenticated attack...

CVE-2025-13898 Ultra Skype Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_id' Shortcode Attribute

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnid' parameter of the ultraskype shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

WordPress Cute News Ticker plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'color' Shortcode Attribute vulnerability discovered by ChamlaVic in WordPress Plugin Cute News Ticker versions = 1.0...

CVE-2025-11800

The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11826

CVE-2025-11826 involves the WP Company Info plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the class attribute of the social-networks shortcode, affecting all versions up to 1.9.0. Exploitation requires authenticated access at contributor level or higher, allow...

WordPress Code Snippets plugin code injection vulnerability

WordPress Code Snippets plugin is a plugin designed for WordPress to conveniently add and manage custom code snippets without having to directly modify the theme files. The WordPress Code Snippets plugin suffers from a code injection vulnerability that stems from the evaluateshortcodefromflatfile...

CVE-2025-11704

The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the elegance-menu shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and...