Improper Input Validation

Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Improper Input Validation due to insufficient input validation in the parsemediashortcode AJAX function. An attacker can manipulate the shortcode outpu...

WordPress CPT Shortcode Generator Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software CPT Shortcode Generator Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-45643 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 729ac653cedf Credits Lokesh Dachepal...

WordPress Remote Content Shortcode Plugin <= 1.5 is vulnerable to Local File Inclusion

Software Remote Content Shortcode Type Plugin Vulnerable versions = 1.5 Fixed in N/A OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2023-45652 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 6e56401bc4b5 Credits Mika Required privilege Contributor...

Google Map Shortcode <= 3.1.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-5468

The Slick Contact Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcscf-link' shortcode in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-5468 Slick Contact Forms <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Slick Contact Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcscf-link' shortcode in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

PT-2023-32123 · WordPress · Slick Contact Forms

Name of the Vulnerable Software and Affected Versions: Slick Contact Forms plugin for WordPress versions up to, and including, 1.3.7 Description: The issue is related to Stored Cross-Site Scripting via the 'dcscf-link' shortcode due to insufficient input sanitization and output escaping on...

Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Po...

CVE-2023-5357

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

Cross site scripting

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5291 Blog Filter <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5357 Instagram for WordPress <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-38396 WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Alain Gonzalez plugin = 3.1.2 versions...

CVE-2023-38396 WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Alain Gonzalez plugin = 3.1.2 versions...

CVE-2023-5334 WP Responsive header image slider <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'spresponsiveslider' shortcode in versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress Plugin google-map-shortcode Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

PT-2023-32053 · WordPress · Wp Responsive Header Image Slider

Name of the Vulnerable Software and Affected Versions: WP Responsive header image slider plugin for WordPress versions up to, and including, 3.2.1 Description: The issue is related to Stored Cross-Site Scripting via the 'sp responsiveslider' shortcode due to insufficient input sanitization and...

CVE-2023-5201

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...

CVE-2023-5295

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

Remote code execution

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...