WordPress Social Sharing Plugin – Social Warfare plugin <= 4.4.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Social Warfare versions = 4.4.6.1...

WordPress hCaptcha plugin <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via cf7-hcaptcha Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via cf7-hcaptcha Shortcode vulnerability discovered by haidv35 in WordPress Plugin hCaptcha for WP versions = 4.0.0...

WordPress tagDiv Composer plugin <= 4.8 - Authenticated Local File Inclusion via Shortcode vulnerability

Authenticated Local File Inclusion via Shortcode vulnerability discovered by István Márton in WordPress Plugin tagDiv Composer versions = 4.8...

WordPress EAN for WooCommerce plugin <= 4.9.2 - Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode vulnerability

Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin EAN for WooCommerce versions = 4.9.2...

WordPress EAN for WooCommerce plugin <= 4.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via alg_wc_ean_product_meta Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via algwceanproductmeta Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin EAN for WooCommerce versions = 4.9.2...

PT-2024-3144 · Tutor Lms · Tutor Lms

Name of the Vulnerable Software and Affected Versions: Tutor LMS versions up to, and including, 2.6.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'tutor instructor list' shortcode due to insufficient input sanitization and output escaping on user-supplied...

CVE-2024-3244

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedpresscalendar' shortcode in all versions up to, and including, 3.9.14...

CVE-2023-6999

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2. This makes it possible for authenticated attackers, with contributor level access ...

PT-2024-18638 · WordPress · Passster

Name of the Vulnerable Software and Affected Versions: Passster plugin for WordPress versions up to, and including, 4.2.6.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's content protector shortcode due to insufficient input sanitization and output escaping on...

WordPress Passster plugin <= 4.2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_protector Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via contentprotector Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Passster versions = 4.2.6.4...

WordPress Beaver Themer plugin <= 1.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via shortcode vulnerability

Authenticated Contributor+ Sensitive Information Exposure via shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Beaver Themer versions = 1.4.9...

WordPress TaxoPress plugin <= 3.13.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by stealthcopter in WordPress Plugin TaxoPress versions = 3.12.0...

WordPress Modal Popup Box plugin <= 1.5.2 - Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode vulnerability

Authenticated Contributor+ PHP Object Injection in awlmodalpopupboxshortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Modal Popup Box versions = 1.5.2...

CVE-2024-2839

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibriposttitle' shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as 'headingtype'. This...

WordPress Favorites plugin <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Favorites versions = 2.3.3...

WordPress WordPress File Upload plugin <= 4.24.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin WordPress File Upload versions = 4.24.5...

PT-2024-22153 · WordPress · Editorskit

Name of the Vulnerable Software and Affected Versions: Gutenberg Block Editor Toolkit – EditorsKit plugin for WordPress versions up to, and including, 1.40.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'editorskit' shortcode due to insufficient input...

WordPress Pods plugin <= 3.0.10 - Authenticated (Contributor+) SQL Injection via Shortcode vulnerability

Authenticated Contributor+ SQL Injection via Shortcode vulnerability discovered by Nex Team in WordPress Plugin Pods versions = 3.0.10...

WordPress Pods plugin <= 3.0.10 - Authenticated (Contributor+) Remote Code Execution via Shortcode vulnerability

Authenticated Contributor+ Remote Code Execution via Shortcode vulnerability discovered by Nex Team in WordPress Plugin Pods versions = 3.0.10...

CVE-2024-1564

The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode...