CVE-2025-13887 AI BotKit <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The AI BotKit – AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the aibotkitwidget shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14835

CVE-2025-14835 concerns the WP Photo Album Plus WordPress plugin. The vulnerability is a Reflected Cross‑Site Scripting via the shortcode parameter in all versions up to 9.1.05.008, caused by insufficient input sanitization and output escaping. It is an unauthenticated issue that can allow an att...

PT-2026-1560

Name of the Vulnerable Software and Affected Versions WP Photo Album Plus plugin for WordPress versions up to and including 9.1.05.008 Description The WP Photo Album Plus plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the shortcode parameter. Insufficient input...

CVE-2025-13592 Advanced Ads <= 2.0.14 - Authenticated (Editor+) Remote Code Execution via Shortcode

The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-adcontent' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server...

CVE-2025-14054

The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headingcolor' parameter and multiple other styling parameters of the wpbforwpbakeryproductadditionalinformation shortcode in all versions up to, and including, 1.2.0 d...

CVE-2025-12960

The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the href parameter in the csv shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it...

CVE-2025-13705 Custom Frames <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Parameter

The Custom Frames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'customframe' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

WordPress Custom Frames plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Parameter vulnerability discovered by theviper17y in WordPress Plugin Custom Frames versions = 1.0.1...

WordPress plugin Custom Frames 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-51077

Name of the Vulnerable Software and Affected Versions Extensive VC Addons for WPBakery page builder plugin for WordPress versions prior to 1.9.2 Description The software is susceptible to a Local File Inclusion issue due to insufficient path normalization and validation of the shortcode name...

CVE-2025-13840

The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazusearch' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-13889

CVE-2025-13889 : The Simple Nivo Slider WordPress plugin is vulnerable to a stored XSS via the shortcodes’ id parameter in all versions up to 0.5.6 due to insufficient input sanitization and output escaping. The issue requires authentication: attackers with Contributor-level access or higher can ...

WordPress plugin BUKAZU Search widget 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

PT-2025-50822

The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-13857 Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclapbutton shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13857

The CVE concerns the WordPress plugin Yet Another WebClap for WordPress. Exploitation target is the webclap_button shortcode's text parameter, with the vulnerability stemming from insufficient input sanitization and output escaping. Affected versions are all up to and including 0.2. Impact: authe...

CVE-2025-13896 Social Feed Gallery Portfolio <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the igp-wp shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-199786

The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it...