CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2025/12/12 8:15 a.m.•6 views

CVE-2025-11876

The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgunsubscriptionform' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

6.4CVSS6AI score0.00188EPSS

EUVD•added 2025/12/12 7:20 a.m.•3 views

EUVD-2025-203054

6.4CVSS4.7AI score0.00188EPSS

Exploits0References5

EUVD•added 2025/12/12 6:31 a.m.•2 views

EUVD-2025-202975

The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS4.7AI score0.00181EPSS

EUVD•added 2025/12/12 6:31 a.m.•4 views

EUVD-2025-202977

The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttomimage' parameter of the paypal-shortcode shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS4.7AI score0.00188EPSS

Exploits0References6

EUVD•added 2025/12/12 6:31 a.m.•4 views

EUVD-2025-202958

The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nspshortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

6.4CVSS4.6AI score0.00197EPSS

EUVD•added 2025/12/12 6:31 a.m.•5 views

EUVD-2025-202961

The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classname' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes i...

6.4CVSS4.7AI score0.00152EPSS

NVD•added 2025/12/12 4:15 a.m.•3 views

CVE-2025-14143

The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayoaction shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

NVD•added 2025/12/12 4:15 a.m.•6 views

Exploits0References5

CVE-2025-13963

The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxccconvert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

NVD•added 2025/12/12 4:15 a.m.•4 views

CVE-2025-13961

The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00228EPSS

NVD•added 2025/12/12 4:15 a.m.•8 views

CVE-2025-13962

The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

NVD•added 2025/12/12 4:15 a.m.•6 views

CVE-2025-13966

NVD•added 2025/12/12 4:15 a.m.•7 views

Exploits0References5

CVE-2025-13960

The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS0.00228EPSS

NVD•added 2025/12/12 4:15 a.m.•5 views

CVE-2025-13906

6.4CVSS0.00181EPSS

NVD•added 2025/12/12 4:15 a.m.•5 views

CVE-2025-13885

The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00181EPSS

NVD•added 2025/12/12 4:15 a.m.•8 views

CVE-2025-13747

6.4CVSS0.00197EPSS

NVD•added 2025/12/12 4:15 a.m.•26 views

CVE-2025-13843

The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This make...

6.4CVSS0.00181EPSS

NVD•added 2025/12/12 4:15 a.m.•6 views

CVE-2025-13840

The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazusearch' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS0.00236EPSS