CVE-2021-24851

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue...

CVE-2021-24412

The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious...

CVE-2021-24694

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode...

CVE-2021-24226

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the...

CVE-2015-9318

The awesome-support plugin before 3.1.7 for WordPress has a security issue in which shortcodes are allowed in replies...

CVE-2025-4669

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5440 If-So Dynamic Content Personalization < 1.8.0.3 - Contributor+ Shortcode Stored XSS

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-12722 Twitter Bootstrap Collapse aka Accordian Shortcode <= 1.0 - Stored XSS via Shortcode

The Twitter Bootstrap Collapse aka Accordian Shortcode WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...

CVE-2024-11502 Planning Center Online Giving <= 1.0.0 - Contributor+ XSS via Shortcode

The Planning Center Online Giving WordPress plugin through 1.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scriptin...

CVE-2024-10075 Jetpack < 13.8 - Unauthenticated Arbitrary Block & Shortcode Execution

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block...

CVE-2025-4126

CVE-2025-4126 affects the WordPress EG-Series plugin (versions up to and including 2.1.1). Affected component is the shortcode_title handling in the [series] shortcode, where insufficient input sanitization and output escaping allows authenticated attackers (contributor level+) on sites with Clas...

CVE-2025-4131 GmapsMania <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

CVE-2025-3890 WordPress Simple PayPal Shopping Cart <= 5.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpcartbutton' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2025-4100 Nautic Pages <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Nautic Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'npmarinetrafficmap' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-4099

The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listchildren' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-13812

The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

PT-2025-17945 · WordPress · Smart Form Plugin

Name of the Vulnerable Software and Affected Versions: Create custom forms for WordPress with a smart form plugin for smart businesses versions 1.2.4 and earlier Description: The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software not properly validating a...

WordPress DesignThemes Core Features plugin <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin DesignThemes Core Features versions = 4.8...

WordPress s2Member Pro plugin <= 250214 - Authenticated (Contributor+) Local File Inclusion to Remote Code Execution via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion to Remote Code Execution via Shortcode vulnerability discovered by István Márton in WordPress Plugin s2Member Pro versions = 250214...

CVE-2024-13430

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayerbuilderpostsshortcode' function due to insufficient restrictions on which posts can be included. This makes it...