CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Patchstack•added 2026/02/02 8:34 a.m.•4 views

WordPress Geo Controller plugin <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution vulnerability

Missing Authorization to Unauthenticated Shortcode Execution vulnerability discovered by Lucio Sá in WordPress Plugin Geo Controller versions = 8.6.9...

5.3CVSS5.5AI score0.00339EPSS

Patchstack•added 2026/02/02 8:33 a.m.•5 views

WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by haidv35 - VCS in WordPress Plugin Ultimate Addons for WPBakery Page Builder versions = 3.19.20...

6.4CVSS5.3AI score0.00297EPSS

Patchstack•added 2026/02/02 8:30 a.m.•5 views

WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by haidv35 - VCS in WordPress Plugin Ultimate Addons for WPBakery Page Builder versions = 3.19.20...

6.4CVSS5.3AI score0.00297EPSS

Patchstack•added 2026/02/02 6:57 a.m.•8 views

WordPress Confetti Fall Animation plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via confetti-fall-animation Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Confetti Fall Animation versions = 1.3.1...

6.4CVSS5.9AI score0.00316EPSS

Patchstack•added 2026/02/02 6:55 a.m.•6 views

WordPress WP-WebAuthn plugin <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wwaloginform Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin WP-WebAuthn versions = 1.3.3...

6.4CVSS5.9AI score0.00384EPSS

Patchstack•added 2026/02/02 6:52 a.m.•7 views

WordPress Bridge Core plugin <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton - Wordfence in WordPress Plugin Bridge Core versions = 3.2.0...

6.4CVSS5.9AI score0.00283EPSS

Patchstack•added 2026/02/02 6:48 a.m.•9 views

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via auxcontactbox and auxgmaps Shortcodes vulnerability discovered by David Gallagher BatFeats - Adept Digital in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.0...

6.4CVSS7.3AI score0.00315EPSS

Patchstack•added 2026/01/30 7:30 a.m.•6 views

WordPress MediaPress plugin <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Plugin's Shortcode vulnerability discovered by zaim in WordPress Plugin MediaPress versions = 1.6.1...

6.4CVSS5.9AI score0.00155EPSS

Patchstack•added 2026/01/30 7:30 a.m.•7 views

WordPress Widget Countdown plugin <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Widget Countdown versions = 2.7.7...

6.4CVSS5.9AI score0.00192EPSS

Patchstack•added 2026/01/30 6:57 a.m.•7 views

WordPress Buttons Shortcode and Widget plugin <= 1.16 - Stored XSS via shortcode vulnerability

Stored XSS via shortcode vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Buttons Shortcode and Widget versions = 1.16...

6.1CVSS5.9AI score0.00413EPSS

Exploits2References1Affected Software1

Patchstack•added 2026/01/30 4:17 a.m.•8 views

WordPress CubeWP plugin <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via cubewpshortcodetaxonomy Shortcode vulnerability discovered by zaim in WordPress Plugin CubeWP versions = 1.1.26...

6.4CVSS5.9AI score0.00185EPSS

Patchstack•added 2026/01/29 10:31 p.m.•7 views

WordPress PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin <= 1.7 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode versions = 1.7...

5.4CVSS5.9AI score0.00319EPSS

Exploits2References1Affected Software1

RedhatCVE•added 2026/01/29 3:18 p.m.•6 views

CVE-2025-14865

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'contentprotector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and...

RedhatCVE•added 2026/01/29 9:24 a.m.•10 views

Exploits0References1

CVE-2026-1295

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for...

6.4CVSS6AI score0.0027EPSS

Exploits0References1

RedhatCVE•added 2026/01/29 9:24 a.m.•11 views

CVE-2026-1244

The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoopcampaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the...

6.4CVSS6AI score0.00251EPSS

Exploits0References1

Cvelist•added 2026/01/28 12:28 p.m.•41 views

CVE-2025-14865 Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4CVSS0.00248EPSS

Vulnrichment•added 2026/01/28 12:28 p.m.•4 views

CVE-2025-14865 Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

EUVD•added 2026/01/28 12:28 p.m.•6 views

EUVD-2025-206505

CVE•added 2026/01/28 12:28 p.m.•18 views

CVE-2025-14865

CVE-2025-14865 (Passster WordPress plugin) : The Passster plugin is affected by a Stored Cross-Site Scripting vulnerability via the content_protector shortcode in all versions up to and including 4.2.24. Exploitation requires authenticated access at Contributor level or higher, enabling an attack...