CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/01/09 12:31 p.m.•7 views

CVE-2023-4289

The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...

5.4CVSS5.9AI score0.00403EPSS

RedhatCVE•added 2026/01/09 12:31 p.m.•7 views

CVE-2023-4036

The Simple Blog Card WordPress plugin before 1.32 does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones...

4.3CVSS6.9AI score0.00453EPSS

RedhatCVE•added 2026/01/09 12:31 p.m.•2 views

CVE-2023-4799

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.5AI score0.00426EPSS

NVD•added 2026/01/09 12:15 p.m.•4 views

CVE-2025-13854

The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00232EPSS

NVD•added 2026/01/09 12:15 p.m.•3 views

CVE-2025-13903

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00239EPSS

NVD•added 2026/01/09 12:15 p.m.•3 views

CVE-2025-13908

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'thetooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00239EPSS

NVD•added 2026/01/09 12:15 p.m.•3 views

CVE-2025-13704

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headclass' parameter of the 'autogenmenu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.0024EPSS

NVD•added 2026/01/09 12:15 p.m.•4 views

CVE-2025-13852

The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the leadform shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00185EPSS

CVE•added 2026/01/09 11:15 a.m.•15 views

CVE-2025-13908

CVE-2025-13908 is a stored XSS vulnerability in the WordPress plugin The Tooltip, affecting versions up to and including 1.0.2. The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin’s the_tooltip shortcode. The Wordfence Intelligence e...

Vulnrichment•added 2026/01/09 11:15 a.m.•3 views

CVE-2025-13908 The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Cvelist•added 2026/01/09 11:15 a.m.•29 views

CVE-2025-13854 Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00232EPSS

Vulnrichment•added 2026/01/09 11:15 a.m.•5 views

CVE-2025-13854 Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS4.8AI score0.00232EPSS

Vulnrichment•added 2026/01/09 11:15 a.m.•3 views

CVE-2025-13852 Debt.com Business in a Box <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS4.8AI score0.00185EPSS

Vulnrichment•added 2026/01/09 11:15 a.m.•6 views

CVE-2025-13967 Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formname' parameter of the woodpecker-connector shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS4.7AI score0.00197EPSS

CVE•added 2026/01/09 11:15 a.m.•20 views

CVE-2025-13967

CVE-2025-13967 (Woodpecker for WordPress) details (from connected doc): The Woodpecker for WordPress plugin is affected by a stored XSS in the woodpecker-connector shortcode’s form_name parameter. This vulnerability exists in all versions up to and including 3.0.4. Exploitation requires authentic...

6.4CVSS4.7AI score0.00197EPSS

Cvelist•added 2026/01/09 11:15 a.m.•28 views

CVE-2025-13967 Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute

6.4CVSS0.00197EPSS

CVE•added 2026/01/09 11:15 a.m.•19 views

CVE-2025-13903

The CVE-2025-13903 entry concerns the PullQuote WordPress plugin, which is reported to be vulnerable to Stored Cross-Site Scripting via the plugin’s pullquote shortcode in all versions up to 1.0. The issue, caused by insufficient input sanitization and output escaping on user-supplied attributes,...

Cvelist•added 2026/01/09 11:15 a.m.•19 views

CVE-2025-13903 PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00239EPSS

Vulnrichment•added 2026/01/09 11:15 a.m.•5 views

CVE-2025-13903 PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes