WordPress Plugin UserPro Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2023-32124 · WordPress · Drop Shadow Boxes

Name of the Vulnerable Software and Affected Versions: Drop Shadow Boxes plugin for WordPress versions up to, and including, 1.7.13 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the dropshadowbox shortcode. This allows...

PT-2023-31963 · WordPress · Related Products For Woocommerce

Name of the Vulnerable Software and Affected Versions: Related Products for WooCommerce plugin for WordPress versions up to, and including, 3.3.15 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the woo-related shortcode. This...

WordPress Plugin HTML filter and csv-file search security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

PT-2023-31865 · WordPress · Weather Atlas Widget

Name of the Vulnerable Software and Affected Versions: The Weather Atlas Widget plugin for WordPress versions up to, and including, 1.2.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'shortcode-weather-atlas' shortcode,...

PT-2023-31714 · WordPress · Wordpress

Name of the Vulnerable Software and Affected Versions: HTML filter and csv-file search plugin for WordPress versions up to 2.7 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'csvsearch' shortcode, allowing...

PT-2023-19620 · WordPress · Userpro

Name of the Vulnerable Software and Affected Versions: UserPro plugin for WordPress versions up to and including 5.1.1 Description: The issue allows authenticated attackers with subscriber-level permissions and above to disclose sensitive user information. This is possible due to insufficient...

PT-2023-32281 · WordPress · Wp Post Columns

Name of the Vulnerable Software and Affected Versions: WP Post Columns plugin for WordPress versions up to, and including, 2.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'column' shortcode due to insufficient input sanitization and output escaping on...

WordPress UserPro 5.1.x Password Reset / Authentication Bypass / Escalation

Vulnerability Details & Technical Analysis Password Reset to Privilege Escalation using the Sensitive Information Disclosure via Shortcode Description: UserPro = 5.1.1 – Insecure Password Reset Mechanism Affected Plugin: UserPro Plugin Slug: userpro Affected Versions: = 5.1.1 CVE ID: CVE-2023-244...

VulnCheck KEV: CVE-2023-2446

The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for...

CVE-2023-4799

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-48300 Embed Privacy missing escaping for show_all attribute in opt-out shortcode

The Embed Privacy plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via embedprivacyoptout shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attribute...

WordPress Plugin Embed Privacy Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. WordPress Plugin Embed Privacy 1.8....

QR Code Tag <= 1.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its qrcodetag shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

POWR < 2.2.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its powr-powr-pack shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Telephone Number Linker <= 1.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its telnumlink shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Featured Image Caption < 0.8.11 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

ShortCodes UI <= 1.9.8 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Social Feed <= 1.5.4.6 - Author+ Stored XSS

Description The plugin does not validate and escape some of its socialfeed shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Author role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-4889

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...