CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2025/11/04 4:27 a.m.•20 views

CVE-2025-11812

CVE-2025-11812 : Reuse Builder (WordPress)

6.4CVSS4.7AI score0.00034EPSS

Cvelist•added 2025/11/04 4:27 a.m.•6 views

CVE-2025-11704 Elegance Menu <= 1.9 - Authenticated (Contributor+) Local File Inclusion

The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the elegance-menu shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and...

7.5CVSS0.00109EPSS

Exploits0References4

Positive Technologies•added 2025/11/04 12:0 a.m.•2 views

PT-2025-44935

Name of the Vulnerable Software and Affected Versions Elegance Menu versions prior to 2.0 Description The Elegance Menu plugin for WordPress is susceptible to Local File Inclusion in versions up to and including 1.9. An authenticated attacker with Contributor-level access or higher can exploit th...

7.5CVSS6.7AI score0.00109EPSS

Exploits0References5

Patchstack•added 2025/11/03 10:17 p.m.•3 views

WordPress WPCOM Member plugin <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin WPCOM Member versions = 1.7.14...

8.8CVSS7AI score0.00154EPSS

Exploits0References1Affected Software1

NVD•added 2025/10/30 5:15 a.m.•2 views

CVE-2025-12475

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksynewslettersubscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

RedhatCVE•added 2025/10/26 7:16 a.m.•3 views

Exploits0References2

CVE-2025-11875

The SpendeOnline.org plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spendeonline' shortcode in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5AI score0.00032EPSS

Exploits0References1

Patchstack•added 2025/10/25 12:38 a.m.•6 views

WordPress ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by theviper17y in WordPress Plugin ShopLentor versions = 3.2.4...

6.4CVSS5.8AI score0.00025EPSS

Exploits0References1Affected Software1

NVD•added 2025/10/22 9:15 a.m.•1 views

CVE-2025-11880

The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

NVD•added 2025/10/22 9:15 a.m.•5 views

Exploits0References2

CVE-2025-11813

The Responsive iframe GoogleMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'responsivemap' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on the 'width' and 'height' attributes. This makes it...

NVD•added 2025/10/22 9:15 a.m.•1 views

CVE-2025-11817

The Simple Tableau Viz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableau' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Cvelist•added 2025/10/22 8:27 a.m.•6 views

CVE-2025-11817 Simple Tableau Viz <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE•added 2025/10/22 8:27 a.m.•15 views

CVE-2025-11813

CVE-2025-11813 — WordPress Responsive iframe GoogleMap plugin is vulnerable to stored cross-site scripting via the shortcode responsive_map in versions ≤ 1.0.2. The issue stems from insufficient input sanitization and output escaping on the width and height attributes, enabling authenticated user...

CVE•added 2025/10/22 8:27 a.m.•13 views

CVE-2025-11810

CVE-2025-11810 affects the WordPress plugin Print Button Shortcode (

CVE•added 2025/10/22 8:27 a.m.•14 views

CVE-2025-11818

The CVE-2025-11818 entry applies to the WordPress plugin WP Responsive Meet The Team, affected in versions up to 1.0.1. It describes a Stored Cross-Site Scripting (XSS) flaw via the wprm_team shortcode caused by insufficient input sanitization and output escaping. The vulnerability can be exploit...

CVE•added 2025/10/22 8:27 a.m.•15 views

CVE-2025-10138

CVE-2025-10138 affects the WordPress plugin This-or-That (versions up to and including 1.0.4). It enables stored XSS via the plugin’s thisorthat shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Impact: authenticated attackers with contributor-level...

Vulnrichment•added 2025/10/22 8:27 a.m.•2 views

Exploits0References2

CVE-2025-11804 JB News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JB News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'jbticker' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS4.8AI score0.00032EPSS