WordPress Microtango plugin <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Microtango versions = 0.9.29...

WordPress Orbisius Random Name Generator plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'btnlabel' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Orbisius Random Name Generator versions = 1.0.2...

CVE-2026-1922

The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-1922

CVE-2026-1922 : The Events Calendar Shortcode & Block plugin for WordPress contains a stored XSS vulnerability in the ecs-list-events shortcode, via the message attribute. It affects all versions up to 3.1.2 and arises from insufficient input sanitization and output escaping on user-supplied attr...

WordPress plugin The Events Calendar Shortcode & Block 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress The Events Calendar Shortcode & Block plugin <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin The Events Calendar Shortcode & Block versions = 3.1.2...

CVE-2025-15477

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode category and id attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This...

CVE-2026-1613

The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's listclass shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1570

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1608

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-12803

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'btbbtabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

CVE-2025-15267

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbaccordionitem shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1570

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1608

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1611

The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wikiloops shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1613

The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's listclass shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-15477

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode category and id attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This...

CVE-2025-15477

The Bucketlister WordPress plugin (versions up to and including 0.1.5) is vulnerable to SQL Injection via the shortcode attributes category and id. The root cause is insufficient escaping of user-supplied parameters and inadequate preparation of the existing SQL query. This allows authenticated a...

CVE-2025-15477 The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode category and id attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This...