PT-2025-33713 · WordPress · Flexible Map

Name of the Vulnerable Software and Affected Versions: Flexible Map plugin for WordPress versions prior to 1.19.0 Description: The Flexible Map plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s Flexible Maps shortcode. Insufficient input sanitization and outp...

CVE-2025-7649 Surbma | Recent Comments Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-8905

The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the themesectionshortcode function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with...

CVE-2025-7650 BizCalendar Web <= 1.1.0.53 - Authenticated (Contributor+) Local File Inclusion

The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.53 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the...

CVE-2025-8604 WP Table Builder – WordPress Table Plugin <= 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

CVE-2025-8604

CVE-2025-8604 – WP Table Builder vulnerability: Stored Cross-Site Scripting via the wptb shortcode in WordPress Table Plugin versions up to and including 2.0.12, caused by insufficient input sanitization and output escaping on user-supplied attributes. The issue affects authenticated users with c...

CVE-2025-8604 WP Table Builder – WordPress Table Plugin <= 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

PT-2025-33467 · WordPress · Inpersttion For Theme

Name of the Vulnerable Software and Affected Versions: Inpersttion For Theme plugin for WordPress versions prior to 1.0 Description: The Inpersttion For Theme plugin for WordPress is susceptible to Remote Code Execution in versions up to and including 1.0 via the theme section shortcode function...

CVE-2025-8685

The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-8688

The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-8685 Wp chart generator <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpchart Shortcode

The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-6787

The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocssearch' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-6687

The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-5488

The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-6258 WP SoundSystem <= 3.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode

The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-4585 IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmflat' Shortcode

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2025-24042 · WordPress · Hide It

Name of the Vulnerable Software and Affected Versions: Hide It plugin for WordPress versions up to, and including, 1.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode due to insufficient input sanitization and output escaping on user-supplied...

CVE-2025-5539

The Simple Contact Form Plugin for WordPress – WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emdmbmeta' shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attribute...

CVE-2024-2499

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'accordions' shortcode in all versions up to, and including, 0.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-6262

The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...