8984 matches found
CVE-2023-0275 Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...
CVE-2023-0061 Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS
The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Si...
CVE-2023-0333
The CVE-2023-0333 entry concerns the TemplatesNext ToolKit WordPress plugin prior to version 3.2.9. The issue is that the plugin does not validate some shortcode attributes before using them to generate HTML tags, enabling Stored Cross-Site Scripting (XSS) when an attacker with Contributor privil...
CVE-2023-0169 Zoho Forms < 3.0.1 - Contributor+ Stored XSS
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2022-4458 Amr Shortcode Any Widget <= 4.0 - Contributor+ Stored XSS
The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against hig...
CVE-2022-4458
CVE-2022-4458 affects the WordPress plugin “amr shortcode any widget” versions prior to 4.0. The issue is that certain shortcode attributes are not validated or escaped before being echoed in the page, enabling a contributor‑level user to perform Stored XSS that could affect admins. Mitigation: u...
CVE-2022-4551 Rich Table of Contents < 1.3.9 - Contributor+ Stored XSS
The Rich Table of Contents WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attack...
CVE-2022-4448 GiveWP < 2.24.0 - Contributor+ Stored XSS
The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2022-4448 GiveWP < 2.24.0 - Contributor+ Stored XSS
The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-0270 YaMaps for WordPress Plugin < 0.6.26 - Contributor+ Stored XSS
The YaMaps for WordPress Plugin WordPress plugin before 0.6.26 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
CVE-2022-4473 Widget Shortcode <= 0.3.5 - Contributor+ Stored XSS
The Widget Shortcode WordPress plugin through 0.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...
CVE-2022-4473
CVE-2022-4473 concerns the WordPress plugin Widget Shortcode (
Cost Calculator <= 1.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC ndcostcalculator id='"...
UpQode Google Maps <= 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit: vcugmmap mapheight='100px;...
Advanced Recent Posts <= 0.6.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC lptwrecentposts colorscheme='"...
PT-2023-14532 · WordPress · Yarpp
Name of the Vulnerable Software and Affected Versions: YARPP WordPress plugin versions prior to 5.30.3 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the YARPP WordPress plugin, which could allow users with the contributor role and above to...
PT-2023-15960 · WordPress · Jetwidgets For Elementor
Name of the Vulnerable Software and Affected Versions: JetWidgets For Elementor WordPress plugin versions prior to 1.0.14 Description: The issue concerns the JetWidgets For Elementor WordPress plugin, which does not properly validate and escape some of its shortcode attributes before outputting...
PT-2023-15992 · WordPress · Amazon Js Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: Amazon JS WordPress plugin versions 0.10 and earlier Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the Amazon JS WordPress plugin, which can lead to Stored Cross-Site Scripting attacks...
WordPress plugin Widget Shortcode 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in WordPress...
PT-2023-15413 · WordPress · Gigpress
Name of the Vulnerable Software and Affected Versions: GigPress WordPress plugin versions prior to 2.3.28 Description: The issue concerns the GigPress WordPress plugin, which does not properly validate and escape certain shortcode attributes before outputting them in a page or post. This could...