CVE-2026-3481

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

CVE-2026-3481

The CVE-2026-3481 entry concerns the WP Blockade WordPress plugin (versions

CVE-2026-3481 WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via 'shortcode' Parameter

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

CVE-2026-3481 WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via 'shortcode' Parameter

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

EUVD-2026-31407

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

CVE-2026-3481

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

PT-2026-42723

Name of the Vulnerable Software and Affected Versions WP Blockade versions prior to 0.9.15 Description The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the...

WordPress WP Blockade plugin <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability discovered by theviper17y in WordPress Plugin WP Blockade versions = 0.9.14...

CVE-2026-3480

The CVE-2026-3480 entry concerns the WordPress plugin WP Blockade (versions up to and including 0.9.14). The vulnerability is a Missing Authorization flaw in the admin_post handler for the shortcode render path. The function render_shortcode_preview() does not perform any capability checks (no cu...

CVE-2025-15488 Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the updateresponsivewoofreeshippingleftshortcode AJAX action that does not properly validate the contentrechdata parameter before processi...

EUVD-2026-10098

The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it...

CVE-2025-14142

The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2026-1910

The UpMenu – Online ordering for restaurants plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lang' attribute of the 'upmenu-menu' shortcode in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-1187

The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2026-8087

The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the flexipsg carousel shortcode. This is due to the theme parameter being directly concatenated into a file path without proper sanitization...

PT-2026-7484

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn label' parameter in the 'orbisius random name generator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes i...

WordPress plugin Orbisius Random Name Generator 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2025-14613

The WordPress GetContentFromURL plugin is affected in all versions up to 1.0. The root cause is using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the [gcfu] shortcode; this enables authenticated attackers with Contributor-level access and above to ...

CVE-2025-14835

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14835

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...