Lucene search
K

1422 matches found

Cvelist
Cvelist
added 3 days ago37 views

CVE-2026-1382 fresh Podcaster <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'freshpodcaster' Shortcode Attributes

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-3907 Hostel <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wphostel-book' Shortcode

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode...

6.4CVSS0.00206EPSS
Exploits0References8
NVD
NVD
added 5 days ago8 views

CVE-2026-14343

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'notebefore' and 'noteafter' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS0.00201EPSS
Exploits0References6
CVE
CVE
added 5 days ago8 views

CVE-2026-6910

Overview : CVE-2026-6910 affects the Bookero.pl online booking plugin for WordPress. Issue : Stored Cross-Site Scripting via the bookero_products shortcode attributes hide_products and filter_products in versions up to 2.2. The root cause is insufficient input sanitization and output escaping in ...

6.4CVSS6.1AI score0.00212EPSS
Exploits0References6
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-6910 Bookero.pl <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookeroproducts shortcode's hideproducts and filterproducts attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS0.00212EPSS
Exploits0References6
EUVD
EUVD
added 5 days ago9 views

EUVD-2026-42522

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'notebefore' and 'noteafter' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS6.1AI score0.00201EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/01 7:53 a.m.9 views

EUVD-2026-40934

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
CVE
CVE
added 2026/07/01 3:43 a.m.15 views

CVE-2026-13246

The CVE concerns GiveWP – Donation Plugin and Fundraising Platform for WordPress (up to version 4.16.0). A Stored XSS exists in the givewp_campaign_comments shortcode (block_id and similar attributes) due to insufficient sanitization and escaping in CampaignCommentsShortcode::parseAttributes() an...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References12
NVD
NVD
added 2026/06/27 8:16 a.m.11 views

CVE-2026-11597

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode...

6.4CVSS0.00193EPSS
Exploits0References5
CVE
CVE
added 2026/06/27 6:50 a.m.16 views

CVE-2026-11597

The CVE concerns the WordPress plugin “Surbma | Infusionsoft Shortcode” for versions up to 2.0.1. It enables Stored Cross-Site Scripting via the infusionsoft-form shortcode by unsafely handling user-supplied account and id attributes in surbma_infusionsoft_shortcode_shortcode(), which are concate...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/27 6:50 a.m.37 views

CVE-2026-11597 Surbma | Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode...

6.4CVSS0.00193EPSS
Exploits0References5
NVD
NVD
added 2026/06/24 7:16 a.m.10 views

CVE-2026-10531

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS0.00133EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 6:0 a.m.5 views

EUVD-2026-38692

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.34 views

CVE-2026-8865 Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notab...

6.4CVSS0.00193EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 5:33 a.m.12 views

CVE-2026-8865

CVE-2026-8865 affects the Avalon23 Products Filter for WooCommerce WordPress plugin (

6.4CVSS6AI score0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.36 views

CVE-2026-8896 MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute and other attributes such as 'readyanimationtext' of the 'mscstats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and outpu...

6.4CVSS0.00187EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.11 views

PT-2026-51666

Name of the Vulnerable Software and Affected Versions AI Share & Summarize versions prior to 2.0.4 Description Users with the Contributor role and above can perform Stored Cross-Site Scripting XSS attacks. This occurs because the plugin fails to sanitize and escape certain shortcode attributes,...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References6
CVE
CVE
added 2026/06/18 6:50 a.m.30 views

CVE-2026-12136

CVE-2026-12136 affects the WordPress plugin “Customize My Account for WooCommerce” up to version 4.3.6. The root cause is insufficient input sanitization and output escaping on shortcode attributes (min_height, min_width, max_height, max_width) used by sysbasics_user_avatar, which are concatenate...

6.4CVSS5.6AI score0.00193EPSS
Exploits0References5
NVD
NVD
added 2026/06/10 10:17 p.m.12 views

CVE-2026-53742

Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser...

5.4CVSS0.00141EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 8:39 p.m.9 views

CVE-2026-53742 Simple Link Directory through 9.0.4 Stored XSS via Embed Shortcode Attributes

Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser...

5.4CVSS5.5AI score0.00141EPSS
Exploits0References2
Rows per page
Query Builder