WordPress Custom Post Type Attachment plugin <= 3.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via pdf_attachment Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via pdfattachment Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Custom Post Type Attachment versions = 3.4.5...

WordPress All-in-One Video Gallery plugin <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via aiovgsearchform Shortcode vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin All-in-One Video Gallery versions = 3.6.5...

CVE-2024-4392

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2024-4144

The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of...

CVE-2024-4383

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpmpaypalsubscriptioncancellink' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-4038

The The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.3.1. This is due to the plugin for WordPress allowing users to execute an action that does not proper...

CVE-2024-4039

The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-4144 Simple Basic Contact Form <= 20240502 - Unauthenticated Arbitrary Shortcode Execution

The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of...

CVE-2024-4144

CVE-2024-4144 affects the WordPress plugin Simple Basic Contact Form . The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, via an arbitrary shortcode execution flaw in all versions up to 20240502. The CVSS baseline in the connected data is 6.5 (Medium) with network...

CVE-2024-4144 Simple Basic Contact Form <= 20240502 - Unauthenticated Arbitrary Shortcode Execution

The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the functionality of...

WordPress Jetpack plugin <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode vulnerability discovered by wesley wcraft in WordPress Plugin Jetpack versions = 13.3.1...

WordPress Simple Basic Contact Form plugin <= 20240502 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by stealthcopter in WordPress Plugin Simple Basic Contact Form versions = 20240502...

WordPress plugin Testimonial Slider 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode

Description The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks. wpvideo OcobLTqC freedom=true preloadContent='"src=x onerror=alertdocument.cookie xss'...

Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode

Description The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks. PoC wpvideo OcobLTqC freedom=true preloadContent='"src=x onerror=alertdocument.cookie xss'...

PT-2024-30780

Name of the Vulnerable Software and Affected Versions Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress versions up to, and including, 13.3.1 Description The issue is related to Stored Cross-Site Scripting via the plugin's wpvideo shortcode due to insufficient input sanitization...

Simple Basic Contact Form < 20240511 - Unauthenticated Arbitrary Shortcode Execution

Description The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the...

CVE-2024-4039

CVE-2024-4039 affects Orders Tracking for WooCommerce (WordPress). Unauthenticated attackers can exploit arbitrary shortcode execution via an action that calls do_shortcode without proper validation, impacting all versions up to 1.2.10. A partial patch arrived in 1.2.10 and a full patch in 1.2.11...

CVE-2024-4039 Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-4039 Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running doshortcode...