9014 matches found
PT-2025-7393 · WordPress · Bandsintown Events
Name of the Vulnerable Software and Affected Versions: Bandsintown Events plugin for WordPress versions up to, and including, 1.3.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'bandsintown events' shortcode due to insufficient input sanitization and output...
WordPress WooCommerce Food - Restaurant Menu & Food ordering plugin <= 3.3.2 - Unauthenticated Arbitrary Shortcode Execution via ids vulnerability
WordPress WooCommerce Food - Restaurant Menu & Food ordering plugin = 3.3.2 - Unauthenticated Arbitrary Shortcode Execution via ids vulnerability discovered by Lucio Sá in WordPress Plugin WooCommerce Food - Restaurant Menu & Food ordering versions = 3.3.2...
WordPress Prime Addons for Elementor plugin <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode vulnerability
Authenticated Contributor+ Insecure Direct Object Reference via paeglobalblock Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Prime Addons for Elementor versions = 2.0.1...
WordPress Modal Window plugin <= 6.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via iframeBox Shortcode vulnerability discovered by Bassem Essam in WordPress Plugin Modal Window versions = 6.1.5...
CVE-2024-13854
The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naeduelementortemplate shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...
CVE-2024-13679
The Widget BUY.BOX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buybox-widget' shortcode in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-13591
The Team Builder For WPBakery Page BuilderFormerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'team-builder-vc' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied...
CVE-2024-13591
The Team Builder For WPBakery Page BuilderFormerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'team-builder-vc' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied...
WordPress Easypromos Plugin plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by SOPROBRO in WordPress Plugin Easypromos versions = 1.3.8...
CVE-2024-13443
The CVE-2024-13443 entry concerns the Easypromos Plugin for WordPress. It is a Stored XSS vulnerability in the plugin’s Easypromos shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The issue affects all versions up to and including 1.3.8, and requir...
PT-2025-7374 · WordPress · Store Locator Widget
Name of the Vulnerable Software and Affected Versions: Store Locator Widget plugin for WordPress versions up to, and including, 20200131 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'storelocatorwidget' shortcode due to insufficient input sanitization and outp...
PT-2025-7325 · WordPress · Umich Oidc Login
Name of the Vulnerable Software and Affected Versions: UMich OIDC Login plugin for WordPress versions up to, and including, 1.2.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'umich oidc button' shortcode due to insufficient input sanitization and output...
PT-2025-7380 · WordPress · Widget Buy.Box
Name of the Vulnerable Software and Affected Versions: Widget BUY.BOX plugin for WordPress versions up to, and including, 3.1.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'buybox-widget' shortcode due to insufficient input sanitization and output escaping on...
PT-2025-7348 · WordPress · Adfo
Name of the Vulnerable Software and Affected Versions: ADFO – Custom data in admin dashboard plugin for WordPress versions up to, and including, 1.9.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'adfo list' shortcode due to insufficient input sanitization and...
PT-2025-7324 · WordPress · Ultraembed – Advanced Iframe Plugin For Wordpress
Name of the Vulnerable Software and Affected Versions: The UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included versions up to, and including, 1.0.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'iframe' shortcode due to insufficient...
WordPress Education Addon for Elementor plugin <= 1.3.1 - Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode vulnerability
Authenticated Contributor+ Insecure Direct Object Reference via naeduelementortemplate Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Education Addon for Elementor versions = 1.3.1...
CVE-2024-13743 Wonder Video Embed <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Wonder Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wonderpluginvideo shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-13689
The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...
CVE-2024-13689
CVE-2024-13689 affects the Uncode Core WordPress plugin. Public details from Wordfence indicate the vulnerability is in Uncode Core
CVE-2024-13689 Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias
The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...