PT-2024-15167 · WordPress · List Category Posts

Name of the Vulnerable Software and Affected Versions: The List category posts plugin for WordPress versions up to, and including, 0.89.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode due to insufficient input sanitization and output escapin...

PT-2024-15198 · WordPress · The Email Encoder – Protect Email Addresses/Phone Numbers

Name of the Vulnerable Software and Affected Versions: The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress versions up to, and including, 2.1.9 Description: The issue is related to Stored Cross-Site Scripting via the plugin's eeb mailto shortcode due to insufficient...

WordPress WP Register Profile With Shortcode Plugin <= 3.5.9 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP Register Profile With Shortcode Type Plugin Vulnerable versions = 3.5.9 Fixed in 3.6.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-5448 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID 4d4b8ee6f41a Credits...

Calculated Fields Form < 1.2.29 - Contributor+ Open Redirect

Description The plugin does not validate a shortcode attribute, which could allow Contributor and above role to perform Open Redirect attack...

Zoho Forms < 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Zoho Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including 3.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Booking Manager < 2.1.6 - Authenticated(Contributor+) SQL Injection via Shortcode

Description The Booking Manager plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode attributes in all versions up to 2.1.6 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

Back Button Widget < 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Back Button Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2024-15065 · WordPress · Wp-Members Membership Plugin

Name of the Vulnerable Software and Affected Versions: WP-Members Membership Plugin versions up to, and including, 3.4.8 Description: The issue allows authenticated attackers with contributor access and above to extract sensitive data, including user emails, password hashes, and usernames, via th...

Advanced Access Manager < 6.9.19 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

MapPress Maps for WordPress < 2.88.14 - Contributor+ Stored XSS

Description The plugin does not sanitize and escape the Point of Interest Title and Description options in a map, allowing Contributor and above role to perform Stored Cross-Site Scripting attacks As a contributor, add/edit a Map and search any location you want. Add XSS Payload on Location’s...

PT-2024-15160 · WordPress · Embedpress

Name of the Vulnerable Software and Affected Versions: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress versions up to 3.9.5 exclusive Description: The issue is related to Stored Cross-Site Scripting via...

CVE-2023-50825

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Terrier Tenacity iframe Shortcode allows Stored XSS.This issue affects iframe Shortcode: from n/a through 2.0...

CVE-2023-50825 WordPress iframe Shortcode Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Terrier Tenacity iframe Shortcode allows Stored XSS.This issue affects iframe Shortcode: from n/a through 2.0...

CVE-2023-50825

CVE-2023-50825 describes a stored cross-site scripting (XSS) flaw in the WordPress plugin/component named iframe Shortcode. The Initial Description states that this is an XSS in the iframe Shortcode and the vulnerability affects versions up to 2.0. The Connected Documents provide no additional te...

WordPress plugin iframe Shortcode Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF

Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. wpfgc url="http://127.0.0.1:8084"...

PT-2023-31656 · Unknown · Terrier Tenacity Iframe Shortcode

Name of the Vulnerable Software and Affected Versions: Terrier Tenacity iframe Shortcode versions n/a through 2.0 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This affects the iframe...

Limit Login Attempts Reloaded < 2.25.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2023-5432

The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Jquery news ticker < 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...