712 matches found
CVE-2025-10191
CVE-2025-10191 concerns the WordPress plugin Big Post Shipping for WooCommerce . The vulnerability is a Stored Cross-Site Scripting (XSS) in the shortcode wooboigpost_shipping_status. Affected versions are up to 2.1.1 (Wordfence listing confirms patching in 2.1.2). The issue stems from insufficie...
CVE-2025-9852
CVE-2025-9852 : Yoga Schedule Momoyoga WordPress plugin versions
CVE-2025-10179 My AskAI <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
PT-2025-39931
Name of the Vulnerable Software and Affected Versions All Social Share Options plugin for WordPress versions prior to 1.1 Description The All Social Share Options plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s ‘sc’ shortcode. Insufficient input sanitizatio...
PT-2025-39935
Name of the Vulnerable Software and Affected Versions BP Direct Menus plugin for WordPress versions prior to 1.0.1 Description The BP Direct Menus plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'bpdm login' shortcode. Insufficient input sanitization and output...
PT-2025-39948
Name of the Vulnerable Software and Affected Versions Yoga Schedule Momoyoga plugin for WordPress versions prior to 2.9.1 Description The Yoga Schedule Momoyoga plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'momoyoga-schedule' shortcode. Insufficient input...
CVE-2025-10136 TweetThis Shortcode <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The TweetThis Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tweetthis' shortcode in all versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-8906
The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-58653
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in JS Morisset JSM filegetcontents Shortcode wp-file-get-contents allows Stored XSS.This issue affects JSM filegetcontents Shortcode: from n/a through = 2.7.1...
CVE-2025-10181
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
PT-2025-38942
Name of the Vulnerable Software and Affected Versions JS Morisset JSM file get contents Shortcode versions through 2.7.1 Description A flaw exists in JS Morisset JSM file get contents Shortcode that allows for Stored Cross-site Scripting XSS. This issue is due to improper neutralization of input...
CVE-2025-10652
The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘moduleid’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...
CVE-2025-9565
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksynewslettersubscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
CVE-2025-10143
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catchdarkmode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on t...
CVE-2025-9851
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmindcalendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9851
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmindcalendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9851 Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmindcalendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-9851 Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmindcalendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
PT-2025-38097
Name of the Vulnerable Software and Affected Versions: Catch Dark Mode plugin for WordPress versions up to and including 2.0 Description: The Catch Dark Mode plugin for WordPress is susceptible to a Local File Inclusion issue via the catch dark mode shortcode. This allows authenticated attackers...
CVE-2025-8721
The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workablejobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...