CVE-2025-2169

The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2025-1324 WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes...

WordPress WP-Recall plugin <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin WP-Recall versions = 16.26.10...

WordPress Authors List plugin <= 2.0.6 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by abrahack in WordPress Plugin Authors List versions = 2.0.6...

CVE-2025-1757

CVE-2025-1757 refers to WordPress Portfolio Builder – Portfolio Gallery (Uber Grid) with Stored XSS via pfhub_portfolio and pfhub_portfolio_portfolio shortcodes in versions up to 1.1.7. The Red Hat and CIRCL entries corroborate the description. The vulnerability requires authenticated access (Con...

PT-2025-9057 · WordPress · Mk Google Directions

Name of the Vulnerable Software and Affected Versions: MK Google Directions plugin for WordPress versions up to and including 3.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'MKGD' shortcode, allowing authenticated...

WordPress Traveler theme <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by István Márton in WordPress Theme Traveler versions = 3.1.8...

CVE-2024-6261

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

WordPress ThemeMakers Stripe Checkout plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin ThemeMakers Stripe Checkout versions = 1.0.1...

WordPress ThemeMakers PayPal Express Checkout plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin ThemeMakers PayPal Express Checkout versions = 1.1.9...

WordPress Rife Elementor Extensions & Templates plugin <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Writing Effect Headline Shortcode vulnerability discovered by zer0gh0st in WordPress Plugin Rife Elementor Extensions & Templates versions = 1.2.5...

CVE-2025-1489

The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2024-13674

The Cosmic Blocks 40+ Content Editor Blocks Collection plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cwpsocialshare' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2024-13672

The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mcg' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied...

WordPress Newpost Catch plugin <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via npc Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Newpost Catch versions = 1.3.19...

WordPress Prime Addons for Elementor plugin <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode vulnerability

Authenticated Contributor+ Insecure Direct Object Reference via paeglobalblock Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Prime Addons for Elementor versions = 2.0.1...

CVE-2024-13591

The Team Builder For WPBakery Page BuilderFormerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'team-builder-vc' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-13443

The CVE-2024-13443 entry concerns the Easypromos Plugin for WordPress. It is a Stored XSS vulnerability in the plugin’s Easypromos shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue affects all versions up to and including 1.3.8, and requir...

PT-2025-7348 · WordPress · Adfo

Name of the Vulnerable Software and Affected Versions: ADFO – Custom data in admin dashboard plugin for WordPress versions up to, and including, 1.9.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'adfo list' shortcode due to insufficient input sanitization and...

PT-2025-7374 · WordPress · Store Locator Widget

Name of the Vulnerable Software and Affected Versions: Store Locator Widget plugin for WordPress versions up to, and including, 20200131 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode due to insufficient input sanitization and outp...