CVE-2025-13739

The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cryptx shortcode in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

EUVD-2025-201521

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2025-201526

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

EUVD-2025-201534

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the igp-wp shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-201525

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

EUVD-2025-201522

The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'beforelist' parameter in the list-attachments shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13898

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnid' parameter of the ultraskype shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-13899

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-13896

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the igp-wp shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-13907

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13857

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclapbutton shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-12717

The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'beforelist' parameter in the list-attachments shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-12368

The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sermon-views shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticate...

CVE-2025-13857 Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclapbutton shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13857 Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclapbutton shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13857

The CVE concerns the WordPress plugin Yet Another WebClap for WordPress. Exploitation target is the webclap_button shortcode's text parameter, with the vulnerability stemming from insufficient input sanitization and output escaping. Affected versions are all up to and including 0.2. Impact: authe...

CVE-2025-13856 Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

CVE-2025-13856

CVE-2025-13856 relates to the WordPress plugin Extra Post Images prior to a fixed version. The vulnerability is a stored cross-site scripting (XSS) via the id parameter of the extra-images shortcode, affecting all versions up to 1.0. Exploitation requires authenticated access at Contributor level...

CVE-2025-13907

CVE-2025-13907 : CSS3 Buttons plugin for WordPress is vulnerable to Stored XSS via the plugin’s ‘button’ shortcode in versions up to 0.1. The issue arises from insufficient input sanitization and output escaping of user-supplied attributes. Exploitation requires an authenticated attacker with con...

CVE-2025-13907 CSS3 Buttons <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...