8992 matches found
CVE-2023-5705
The VK Filter Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vkfiltersearch' shortcode in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2023-5774 Animated Counters <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Animated Counters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
CVE-2023-5817 Neon text <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontextbox shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes color. This makes it possible for authenticated...
Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 3.1.1 - fbplugin video...
Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC v 3.1.1 - fbplugin video...
PT-2023-32350 · WordPress · Neon Text Plugin
Name of the Vulnerable Software and Affected Versions: Neon text plugin for WordPress version 1.1 and earlier Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes, specifically the color attribute, in the plugin's neontext box shortcod...
PT-2023-32278 · WordPress · Vk Filter Search
Name of the Vulnerable Software and Affected Versions: VK Filter Search plugin for WordPress versions up to, and including, 2.3.1 Description: The VK Filter Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk filter search' shortcode due to insufficient...
PT-2023-31581 · Callrail · Callrail Phone Call Tracking Plugin
Name of the Vulnerable Software and Affected Versions: CallRail Phone Call Tracking plugin for WordPress versions up to, and including, 0.5.2 Description: The issue arises from insufficient input sanitization and output escaping on the form id user-supplied attribute in the 'callrail form'...
Advanced Menu Widget <= 0.4.1 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...
Live Chat with Facebook Messenger < 1.0 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...
CPT Shortcode Generator <= 1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-5744
The Very Simple Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vsgmap' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2023-5740
The Live Chat with Facebook Messenger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'messenger' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...
CVE-2023-5745
The Reusable Text Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text-blocks' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
CVE-2023-5085
The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'advMenu' shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers wit...
CVE-2023-5126
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugindeleteme' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...
CVE-2023-45644
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Anurag Deshmukh CPT Shortcode Generator plugin = 1.0 versions...
CVE-2023-45644
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Anurag Deshmukh CPT Shortcode Generator plugin = 1.0 versions...
WordPress Plugin CPT Shortcode Generator Cross Site Scripting Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerabilit...
Delete Me < 3.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Description The plugin does not validate and escape some of its attributes for the plugindeleteme shortcode before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against...