CVE-2025-11860 Twitter Feed <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Twitter Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ottwitterfeed' shortcode in all versions up to, and including, 1.3.1. This is due to the plugin not properly sanitizing user input and output of the 'width' and 'height' parameters. This makes it possible...

CVE-2025-11882 Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11882 Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Donate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's simpledonate shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-12663 Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jebaforkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-12663 Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jebaforkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-12663

CVE-2025-12663 (Jeba Cute forkit WordPress plugin) is a Stored Cross-Site Scripting vulnerability in the jeba_forkit shortcode. The issue stems from insufficient input sanitization and output escaping of the text attribute, affecting all versions up to 1.0. Exploitation requires authenticated acc...

CVE-2025-11882

CVE-2025-11882 affects the WordPress plugin Simple Donate (versions

CVE-2025-12668 WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpcountdowntimer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-12668 WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpcountdowntimer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11821

CVE-2025-11821 concerns the WordPress plugin WooCommerce – Products By Custom Tax . The vulnerability is a Stored XSS via the shortcode woo_products_custom_tax in versions up to 2.2. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, enabl...

CVE-2025-11821 Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooproductscustomtax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2025-11821 Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooproductscustomtax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2025-11859 Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the 'title' and 'text' parameters. This makes it possibl...

CVE-2025-11859

CVE-2025-11859 affects the WordPress plugin Paypal Donation Shortcode (versions

CVE-2025-11859 Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Paypal Donation Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in all versions up to, and including, 0.1. This is due to the plugin not properly sanitizing user input and output of the 'title' and 'text' parameters. This makes it possibl...

CVE-2025-12671 WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpiconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12671 WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpiconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12671

The CVE-2025-12671 entry concerns the WordPress WP-Iconics plugin with stored cross-site scripting in the wp_iconics shortcode parameters. Affected versions are listed as up to 0.0.4 (and upstream updates address 0.0.5+ per remediation notes). Root cause is insufficient input sanitization and ina...

CVE-2025-12753 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzezchart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for...

CVE-2025-12753 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzezchart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for...