CVE-2025-11856

The Eventbee Ticketing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eventbeeticketwidget' shortcode in all versions up to, and including, 1.0. This is due to the plugin not properly sanitizing user input and output of several parameters. This makes it possible...

CVE-2025-12663

CVE-2025-12663 (Jeba Cute forkit WordPress plugin) is a Stored Cross-Site Scripting vulnerability in the jeba_forkit shortcode. The issue stems from insufficient input sanitization and output escaping of the text attribute, affecting all versions up to 1.0. Exploitation requires authenticated acc...

CVE-2025-11882 Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11882 Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11821 Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooproductscustomtax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode

The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...

CVE-2025-11805

The CVE CVE-2025-11805 concerns the WordPress plugin Skip to Timestamp (versions

CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode

The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...

CVE-2025-12644 Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields

The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom...

CVE-2025-11863 My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeocity' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it...

CVE-2025-11874 Slippy Slider – Responsive Touch Navigation Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Slippy Slider – Responsive Touch Navigation Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slippy-slider' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. Thi...

CVE-2025-11874

CVE-2025-11874 : The WordPress plugin Slippy Slider – Responsive Touch Navigation Slider is vulnerable to Stored Cross-Site Scripting via the shortcode slippy-slider in all versions

WordPress Chart Expert plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Chart Expert versions = 1.0...

WordPress Coon Google Maps plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Coon Google Maps versions = 1.0...

PT-2025-46271

Name of the Vulnerable Software and Affected Versions Authors List plugin for WordPress versions prior to 2.0.6.2 Description The Authors List plugin for WordPress is susceptible to sensitive information exposure. Authenticated attackers with Contributor-level access or higher can exploit this...

PT-2025-46258

Name of the Vulnerable Software and Affected Versions My Geo Posts Free plugin for WordPress versions prior to 1.3 Description The My Geo Posts Free plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'mygeo city' shortcode. This occurs because the plugin does not...

WordPress Jeba Cute forkit plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Jeba Cute forkit versions = 1.0...

EUVD-2025-38373

The Saphali LiqPay for donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saphaliliqpay' shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-12643

CVE-2025-12643 – Saphali LiqPay for donate (WordPress) Stored XSS The WordPress plugin Saphali LiqPay for donate (plugin slug: saphali-liqpay-for-donate) is affected by a stored cross-site scripting vulnerability in the shortcode attribute saphali_liqpay. All versions up to and including 1.0.2 ar...

CVE-2025-11987

The Visual Link Preview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's visual-link-preview shortcode in versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...