228 matches found
CVE-2026-8702
The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbitoprintshortcode function, which concatenates the raw shortcode attribute value directly...
CVE-2026-8698 Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute
The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the asgetcoinshortcode function, which renders the 'width' and 'height' shortcode attribute directly into the style attribut...
PT-2026-43502
The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi toprint shortcode function, which concatenates the raw shortcode attribute value directly...
CVE-2026-8038
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-3694
CVE-2026-3694 affects the Bold Page Builder plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the bt_bb_button shortcode’s 'text' attribute across all versions up to and including 5.6.8. It stems from insufficient input sanitization and output escaping for use...
CVE-2026-4920
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
EUVD-2026-29396
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
CVE-2026-6247 scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute
The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-5715 Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode
The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...
CVE-2026-4920 Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
CVE-2026-4859 SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute
The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
PT-2026-39951
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
WordPress plugin Next Date 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...
CVE-2026-6672
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the...
CVE-2026-6725
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the wpcsmtextrotator shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-6725 WPC Smart Messages for WooCommerce <= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the wpcsmtextrotator shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied...
EUVD-2026-22869
The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the...
EUVD-2026-24702
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
CVE-2026-4125
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-6236 Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...