8997 matches found
CVE-2025-12753
The WordPress Chart Expert plugin (versions
CVE-2025-12672 Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'divheight' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2025-12754 Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode
The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...
CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode
The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...
CVE-2025-12754
CVE-2025-12754 (Geopost WordPress plugin) : Concrete details are provided across multiple connected sources. The Geopost plugin (WordPress) is affected in all versions up to 1.2 and is vulnerable to Stored Cross-Site Scripting via the height parameter of the geopost shortcode. The root cause is i...
CVE-2025-12010
CVE-2025-12010 – Authors List plugin (WordPress) Vulnerability: Authenticated (Contributor+) users can trigger a limited method call in the Authors_List_Shortcode class to perform sensitive information exposure, extracting data such as password hashes, email addresses, usernames, and activation k...
CVE-2025-11805 Skip to Timestamp <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated...
CVE-2025-11805
The CVE CVE-2025-11805 concerns the WordPress plugin Skip to Timestamp (versions
CVE-2025-12644 Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom...
CVE-2025-12644
The CVE-2025-12644 issue affects the WordPress plugin Nonaki – Drag and Drop Email Template builder and Newsletter (versions up to and including 1.0.11). It is a stored XSS via the nonaki shortcode caused by insufficient input sanitization and output escaping of user-provided custom field values,...
CVE-2025-11863 My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeocity' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it...
CVE-2025-11829 Five9 Live Chat <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the five9-chat shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-11829 Five9 Live Chat <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the five9-chat shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-12652
CVE-2025-12652 — Ungapped Widgets (WordPress) is a stored XSS vulnerability in the ungapped-form shortcode, exploitable via the prefillvalues parameter. Reports indicate exploitation requires authenticated access at contributor level or higher, with the attacker able to inject scripts that run fo...
CVE-2025-12652 Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This mak...
CVE-2025-11829
CVE-2025-11829 relates to the Five9 Live Chat plugin for WordPress. The WordPress plugin versions through 1.1.2 are vulnerable to Stored Cross-Site Scripting via the toolbar attribute in the [five9-chat] shortcode, due to insufficient input sanitization and output escaping. The Wordfence report (...
CVE-2025-12652 Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This mak...
CVE-2025-11874
CVE-2025-11874 : The WordPress plugin Slippy Slider – Responsive Touch Navigation Slider is vulnerable to Stored Cross-Site Scripting via the shortcode slippy-slider in all versions
CVE-2025-11873
CVE-2025-11873 : WordPress WP BBCode plugin