CVE-2025-13900

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13729

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13853

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'datatech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2023-25786

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin = 1.8.2 versions...

CVE-2023-45652

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Justin Silver Remote Content Shortcode allows PHP Local File Inclusion.This issue affects Remote Content Shortcode: from n/a through 1.5...

CVE-2023-45643

Cross-Site Request Forgery CSRF vulnerability in Anurag Deshmukh CPT Shortcode Generator plugin = 1.0 versions...

CVE-2023-4842

The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'socialwarfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-4716

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mlagallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-4887

The Google Maps Plugin by Intergeo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'intergeo' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-4995

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-4960

The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfmstores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-4890

The JQuery Accordion Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-4944

The Awesome Weather Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-4889

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2025-13853 Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'datatech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-13853

CVE-2025-13853 affects Nearby Now Reviews (WordPress plugin) and is an authenticated Stored XSS in the nn-tech shortcode via the data_tech parameter, impacting all versions up to 5.2. The flaw arises from insufficient input sanitization and output escaping, enabling an attacker with Contributor+ ...

CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13900

CVE-2025-13900 refers to the WP Popup Magic plugin for WordPress, with a Stored XSS vulnerability in the shortcode [wppum_end] via the name parameter. The connected Wordfence summary confirms the flaw affects WP Popup Magic and lists it as an authenticated (Contributor+) Stored Cross‑Site Scripti...

CVE-2025-13729

CVE-2025-13729 affects the Entry Views WordPress plugin. It is a Stored Cross-Site Scripting vulnerability via the plugin’s entry-views shortcode in all versions up to 1.0.0, caused by insufficient input sanitization and output escaping of user-provided shortcode attributes. Exploitation requires...