CVE-2025-11763

The WordPress plugin Display Pages Shortcode is vulnerable to Stored XSS through the column_count parameter in the [display-pages] shortcode (versions ≤ 1.1). The flaw arises from insufficient input filtering and output escaping, enabling authenticated attackers with Contributor+ access to inject...

EUVD-2025-198418

The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'columncount' parameter in the display-pages shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13135 HotelRunner Booking Widget <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-11764 Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11764 Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-198419

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11799

CVE-2025-11799 (Affiliate AI Lite, WordPress): Stored Cross-Site Scripting via the asin attribute in the affiai_img shortcode. Affects all versions up to and including 1.0.1. Exploitation requires authenticated access at contributor level or higher, enabling injection of arbitrary scripts on page...

CVE-2025-11768

CVE-2025-11768 affects the WordPress Islamic Phrases plugin. It is an authenticated Stored Cross-Site Scripting vulnerability via the phrases shortcode attribute in all versions up to and including 2.12.2015. Exploitation requires contributor-level access or higher, and injected scripts run in pa...

CVE-2025-11770 BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-11770 BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-11767

CVE-2025-11767 affects the WordPress plugin Tips Shortcode. The vulnerability is a Stored Cross-Site Scripting (XSS) via the shortcode in all versions up to 0.2.1, caused by insufficient input sanitization and output escaping. It requires an authenticated attacker with contributor-level access o...

CVE-2025-11767 Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2025-11770

The BrightTALK WordPress Shortcode plugin (WordPress) is vulnerable to Stored Cross-Site Scripting via the format attribute of the brighttalk-time shortcode in all versions up to 2.4.0. The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers wit...

EUVD-2025-198398

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2025-11767 Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

EUVD-2025-198399

The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11801

The AudioTube WordPress plugin (versions

CVE-2025-11765

CVE-2025-11765 : The WordPress plugin Stock Tools is vulnerable to stored XSS via the shortcode attributes image_height and image_width in all versions up to 1.1. The issue stems from insufficient input sanitization and output escaping. Exploitation requires authentication at contributor level or...

CVE-2025-12661

CVE-2025-12661 affects the Pollcaster Shortcode Plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the height attribute of the pollcaster shortcode in all versions up to 1.0, caused by insufficient input sanitization and output escaping. All evidence indicates an a...

CVE-2025-12661 Pollcaster Shortcode Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Pollcaster Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'pollcaster' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes...