CVE-2026-2840

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eebmailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-2840

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eebmailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress Prismatic plugin <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode vulnerability

Unauthenticated Stored Cross-Site Scripting via 'prismaticencoded' Pseudo-Shortcode vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Prismatic versions = 3.7.3...

CVE-2025-13364

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'putwpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on...

CVE-2025-13364

CVE-2025-13364 affects the WordPress plugin “WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters” up to version 4.8.7. The issue is a Stored Cross-Site Scripting (stored‑XSS) flaw caused by insufficient input sanitization and output escaping on user‑supplied ...

WordPress WP Shortcodes Plugin - Shortcodes Ultimate plugin <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode vulnerability

WordPress WP Shortcodes Plugin - Shortcodes Ultimate plugin = 7.4.9 - Authenticated Contributor+ Stored Cross-Site Scripting via subox Shortcode vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Shortcodes Ultimate versions = 7.4.9...

PT-2026-33013

Name of the Vulnerable Software and Affected Versions VI: Include Post By versions prior to 0.4.200706 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping on user supplied attributes. Authenticated attackers with contributor-level access and...

CVE-2026-1607

CVE-2026-1607 affects the Surbma | Booking.com Shortcode plugin for WordPress, up to version 2.1. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes of the surbma-bookingcom shortcode, enabling an authenticated attacker with contributor-level acce...

WordPress Surbma | Booking.com plugin <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Surbma | Booking.com Shortcode versions = 2.1...

EUVD-2026-20131

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

EUVD-2026-20106

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

CVE-2026-4871

The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the scmmemberdata shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for...

EUVD-2026-20045

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learnpresscourses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode...

EUVD-2026-20048

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttoncaption' parameter in the latepointresources shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the...

CVE-2026-4333

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learnpresscourses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode...

PT-2026-31112

Name of the Vulnerable Software and Affected Versions The Magic Conversation For Gravity Forms plugin for WordPress versions up to and including 3.0.97 Description The Magic Conversation For Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the...

WordPress LatePoint plugin <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zaim in WordPress Plugin LatePoint versions = 5.3.0...

WordPress WPFunnels plugin <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpfoptinform' Shortcode vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin WPFunnels versions = 3.7.9...

CVE-2026-0552

The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress WP Travel Engine - Travel and Tour Booking Plugin plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode vulnerability

WordPress WP Travel Engine - Travel and Tour Booking Plugin plugin = 6.7.5 - Authenticated Contributor+ Stored Cross-Site Scripting via wtetriptax Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Travel Engine versions = 6.7.5...