8992 matches found
PT-2026-3236
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user...
WordPress User Submitted Posts plugin <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'uspaccess' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin User Submitted Posts versions = 20260110...
WordPress Related Posts by Taxonomy plugin <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'relatedpostsbytax' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Related Posts by Taxonomy versions = 2.7.6...
CVE-2025-14615
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for...
CVE-2025-15486
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...
CVE-2025-15020
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on...
WordPress Gotham Block Extra Light plugin <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode vulnerability
Authenticated Contributor+ Arbitrary File Read via 'ghostban' Shortcode vulnerability discovered by 0x34rth in WordPress Plugin Gotham Block Extra Light versions = 1.5.0...
CVE-2025-15020
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on...
CVE-2025-15486 Kunze Law <= 2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...
CVE-2025-15486 Kunze Law <= 2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...
EUVD-2026-2538
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible fo...
CVE-2025-15486
CVE-2025-15486 concerns the WordPress Kunze Law plugin (versions
CVE-2025-12178 SpiceForms Form Builder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-14613 GetContentFromURL <= 1.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wpremoteget instead of wpsaferemoteget to fetch content from a user-supplied URL in the 'url' parameter of the gcfu shortcode. This...
CVE-2025-12178 SpiceForms Form Builder <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-12178
The CVE-2025-12178 entry covers a Stored Cross-Site Scripting vulnerability in the WordPress plugin SpiceForms Form Builder (versions
CVE-2025-14613
The WordPress GetContentFromURL plugin is affected in all versions up to 1.0. The root cause is using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the [gcfu] shortcode; this enables authenticated attackers with Contributor-level access and above to ...
CVE-2025-15020 Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on...
CVE-2025-15020 Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on...
CVE-2025-15020
CVE-2025-15020 affects the WordPress plugin Gotham Block Extra Light