8992 matches found
EUVD-2026-5612
The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers,...
CVE-2026-1909
The WaveSurfer-WP WordPress plugin is affected by a Stored Cross-Site Scripting (XSS) flaw in all versions up to and including 2.8.3, caused by insufficient input sanitization and output escaping on the 'src' attribute of the audio shortcode. Authenticated attackers with Contributor-level access ...
CVE-2026-1808
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplusbutton shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-1808 Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplusbutton shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it...
EUVD-2026-5613
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplusbutton shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-1808 Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplusbutton shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it...
EUVD-2026-5615
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1888 Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1888
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1888 Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1888
The Docus – YouTube Video Playlist plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability in all versions up to 1.0.6 due to insufficient input sanitization and output escaping on attributes of the docusplaylist shortcode. Authentication at Contributor level or higher is ...
CVE-2026-1228
The Timeline Block – Beautiful Timeline Builder for WordPress Vertical & Horizontal Timelines plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgbshortcode function due to missing validation on a user controlled key. This...
CVE-2026-1228
The CVE-2026-1228 entry concerns the Timeline Block – Beautiful Timeline Builder for WordPress plugin for WordPress, affected up to version 1.3.3. The vulnerability is an Insecure Direct Object Reference in the tlgb_shortcode() function caused by missing validation of a user-controlled key, allow...
EUVD-2026-5609
The Timeline Block – Beautiful Timeline Builder for WordPress Vertical & Horizontal Timelines plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgbshortcode function due to missing validation on a user controlled key. This...
CVE-2026-1228 Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute
The Timeline Block – Beautiful Timeline Builder for WordPress Vertical & Horizontal Timelines plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgbshortcode function due to missing validation on a user controlled key. This...
CVE-2026-1228 Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute
The Timeline Block – Beautiful Timeline Builder for WordPress Vertical & Horizontal Timelines plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgbshortcode function due to missing validation on a user controlled key. This...
WordPress Docus plugin <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Docus versions = 1.0.6...
WordPress WaveSurfer-WP plugin <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'src' Shortcode Attribute vulnerability discovered by Ivan Cese in WordPress Plugin WaveSurfer-WP versions = 2.8.3...
WordPress Orange Confort+ accessibility toolbar for WordPress plugin <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Orange Comfort+ accessibility toolbar for WordPress versions = 0.7...
WordPress Timeline Block plugin <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute vulnerability
Insecure Direct Object Reference to Authenticated Author+ Private Timeline Exposure via Shortcode Attribute vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Timeline Block versions = 1.3.3...