8989 matches found
PT-2026-26819
The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
WordPress plugin Ecover Builder For Dummies 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
WordPress plugin WordPress PayPal Donation 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
PT-2026-26862
The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the sheets2table-render-table shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the...
PT-2026-26870
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad func shortcode handl...
CVE-2026-4083 Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...
CVE-2026-4083 Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...
CVE-2026-4083
The CVE concerns the WordPress plugin Scoreboard for HTML5 Games Lite (up to version 1.2). The root cause is in the shortcode handling function sfhg_shortcode(), which allows arbitrary HTML attributes to be added to the rendered despite a small blacklist, because escaping is insufficient for eve...
PT-2026-26724
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhg shortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...
WordPress Instant Popup Builder plugin <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter vulnerability
Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter vulnerability discovered by theviper17y in WordPress Plugin Instant Popup Builder versions = 1.1.7...
EUVD-2026-13074
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handleemailverificationpage function constructing a shortcode string from user-supplied GET parameters token, email and passi...
CVE-2026-3475
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handleemailverificationpage function constructing a shortcode string from user-supplied GET parameters token, email and passi...
CVE-2026-3475 Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handleemailverificationpage function constructing a shortcode string from user-supplied GET parameters token, email and passi...
CVE-2026-3475
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handleemailverificationpage function constructing a shortcode string from user-supplied GET parameters token, email and passi...
CVE-2026-3475
CVE-2026-3475 affects the WordPress plugin Instant Popup Builder (
CVE-2026-3475 Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter
The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handleemailverificationpage function constructing a shortcode string from user-supplied GET parameters token, email and passi...
CVE-2026-4006
The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayname' post meta Custom Field in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is...
CVE-2026-4006
The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayname' post meta Custom Field in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is...
CVE-2026-4006 Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter
The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayname' post meta Custom Field in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is...
PT-2026-26257
Name of the Vulnerable Software and Affected Versions Simple Draft List plugin for WordPress versions up to and including 2.6.2 Description The Simple Draft List plugin for WordPress is susceptible to Stored Cross-Site Scripting through the display name post meta Custom Field. This is a result of...