8996 matches found
PT-2025-47683
The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress plugin WPSite Shortcode 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripti...
WordPress plugin BrightTALK WordPress Shortcode 跨站脚本漏洞
The WordPress BrightTALK Shortcode plugin is a plugin for WordPress designed to integrate BrightTALK's webinar functionality through shortcodes. The WordPress BrightTALK Shortcode plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filterin...
PT-2025-47680
The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it...
PT-2025-47704
The WPSite Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the wpsite y shortcode and the 'before' attribute in the wpsite postauthor shortcode in all versions up to, and including, 1.2. This is due to insufficient input...
PT-2025-47694
The Padlet Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'key' parameter in the 'wallwisher' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
WordPress Shortcode for Google Street View plugin <= 0.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Shortcode for Google Street View versions = 0.5.7...
WordPress WP Company Info plugin <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Company Info versions = 1.9.0...
WordPress WPSite Shortcode plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WPSite Shortcode versions = 1.2...
WordPress Display Pages Shortcode plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Display Pages Shortcode versions = 1.1...
WordPress BrightTALK WordPress Shortcode plugin <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin BrightTALK WordPress Shortcode versions = 2.4.0...
WordPress Surbma | MiniCRM Shortcode plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Surbma | MiniCRM Shortcode versions = 2.0...
WordPress Pollcaster Shortcode Plugin plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Pollcaster Shortcode Plugin versions = 1.0...
CVE-2025-12878
The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wfopphone shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied default...
CVE-2025-12710
The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2025-13054
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppb-embed shortcode in all versions up to, and including, 3.14.8 due to insufficient input sanitization and output...
CVE-2025-13035
The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract on attacker-controlled shortcode attributes within the evaluateshortcodefromflatfile method, which can be used to overwrite the...
EUVD-2025-198141
The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract on attacker-controlled shortcode attributes within the evaluateshortcodefromflatfile method, which can be used to overwrite the...
CVE-2025-12823
The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
CVE-2025-12962
The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the syndicatelocal shortcode. This is due to the use of wpremoteget instead of wpsaferemoteget which lacks protections against requests to...