CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added last week•8 views

EUVD-2026-32750

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the shariff shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS6AI score0.0004EPSS

Exploits0References6

EUVD•added 2026/05/27 5:31 a.m.•6 views

EUVD-2026-32082

The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's iwrtooltip shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the iwrtooltip shortcode handler — the...

EUVD•added 2026/05/27 5:31 a.m.•4 views

EUVD-2026-32075

The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

Vulnrichment•added 2026/05/27 5:31 a.m.•6 views

CVE-2026-8887 Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...

EUVD•added 2026/05/27 5:31 a.m.•4 views

EUVD-2026-32056

The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes autocomplete, label,...

Positive Technologies•added 2026/05/27 12:0 a.m.•6 views

PT-2026-43524

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00044EPSS

Exploits0References4

Positive Technologies•added 2026/05/27 12:0 a.m.•5 views

PT-2026-43530

The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes such as 'organizer id', 'width', 'height',...

Positive Technologies•added 2026/05/27 12:0 a.m.•5 views

Exploits0References4

PT-2026-43512

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquote build...

RedhatCVE•added 2026/05/13 2:21 p.m.•4 views

Exploits0References4

CVE-2026-6247

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

NVD•added 2026/05/13 5:16 a.m.•3 views

Exploits0References1

CVE-2026-6962

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...

6.4CVSS0.00036EPSS

EUVD•added 2026/05/13 4:26 a.m.•3 views

EUVD-2026-29898

6.4CVSS6AI score0.00036EPSS

Cvelist•added 2026/05/12 7:48 a.m.•28 views

CVE-2026-4859 SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00032EPSS

ATTACKERKB•added 2026/05/12 7:48 a.m.•3 views

CVE-2026-5340

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fancy-img-show shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

6.4CVSS6AI score0.00034EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•5 views

PT-2026-39975

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00011EPSS

Positive Technologies•added 2026/05/08 12:0 a.m.•5 views

PT-2026-38903

Name of the Vulnerable Software and Affected Versions NMR Strava activities plugin for WordPress versions prior to 1.0.15 Description Insufficient input sanitization and output escaping on user supplied attributes in the strava nmr connect shortcode allow authenticated attackers with...

6.4CVSS6AI score0.00013EPSS

Exploits0References9

CVE•added 2026/05/06 6:47 a.m.•4 views

CVE-2026-6672

The CVE concerns the WordPress plugin SliceWP Affiliates (Affiliate Program Suite). A Stored Cross‑Site Scripting (Stored XSS) vulnerability exists in all versions up to 1.2.7 due to insufficient input sanitization and output escaping in the slicewp_affiliate_url shortcode attributes. Exploitatio...