712 matches found
EUVD-2026-29898
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...
CVE-2026-4859 SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute
The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-5340
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fancy-img-show shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
PT-2026-39975
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
PT-2026-38903
Name of the Vulnerable Software and Affected Versions NMR Strava activities plugin for WordPress versions prior to 1.0.15 Description Insufficient input sanitization and output escaping on user supplied attributes in the strava nmr connect shortcode allow authenticated attackers with...
CVE-2026-6672
The CVE concerns the WordPress plugin SliceWP Affiliates (Affiliate Program Suite). A Stored Cross‑Site Scripting (Stored XSS) vulnerability exists in all versions up to 1.2.7 due to insufficient input sanitization and output escaping in the slicewp_affiliate_url shortcode attributes. Exploitatio...
CVE-2026-4088
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...
CVE-2026-4280
The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwpajaxform AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwptheme option...
EUVD-2026-24652
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...
EUVD-2026-24668
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'tablemanager' shortcode. The shortcode handler tablemanagerrendertableshortcode takes a user-controlled table attribute, applies only sanitizekey for...
CVE-2026-6246
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'containerrightwidth' attribute of the 'simplerandomposts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-5767
The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slideShowProSC shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-6246
CVE-2026-6246 affects the WordPress plugin Simple Random Posts Shortcode (versions up to 0.3). The issue is Stored Cross-Site Scripting via the container_right_width attribute of the simple_random_posts shortcode, caused by insufficient input sanitization and output escaping on user-supplied attr...
CVE-2026-4088
The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...
CVE-2026-4088
Summary: The WordPress Switch CTA Box plugin (versions up to 1.1) is vulnerable to Stored Cross-Site Scripting via the wppw_cta_box shortcode due to insufficient sanitization/output escaping of post meta values (cta_box_button_link, cta_box_button_id, cta_box_button_text, cta_box_description). Th...
PT-2026-34308
Name of the Vulnerable Software and Affected Versions Simple Random Posts Shortcode versions prior to 0.4 Description The Simple Random Posts Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject...
PT-2026-34303
Name of the Vulnerable Software and Affected Versions SlideShowPro SC versions prior to 1.0.3 Description The SlideShowPro SC plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes withi...
PT-2026-34290
Name of the Vulnerable Software and Affected Versions Table Manager versions prior to 1.0.1 Description The Table Manager plugin for WordPress allows authenticated attackers with Contributor-level access and above to extract sensitive data from arbitrary WordPress database tables. The issue occur...
PT-2026-34300
Name of the Vulnerable Software and Affected Versions Breaking News WP versions prior to 1.4 Description The Breaking News WP plugin for WordPress contains a Local File Inclusion issue. The 'brnwp ajax form' AJAX endpoint lacks authorization checks and CSRF verification. Additionally, there is...
CVE-2026-2505
The CVE-2026-2505 entry concerns the WordPress Categories Images plugin (versions