WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution

The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution

Shortcodes Ultimate plugin before 5.0.1 for WordPress contains a remote code execution caused by a filter in meta, post, or user shortcode, letting remote attackers execute arbitrary code, exploit requires sending crafted shortcode data. id: CVE-2017-18580 info: name: WordPress Shortcodes Ultimat...

CVE-2026-8885

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes...

CVE-2026-8885

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes...

CVE-2026-8885

The CVE-2026-8885 entry concerns the WordPress plugin DeMomentSomTres Shortcodes (versions

CVE-2026-8885 DeMomentSomTres Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes...

CVE-2026-8885 DeMomentSomTres Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes...

WordPress DeMomentSomTres Shortcodes plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin DeMomentSomTres Shortcodes versions = 1.1.1...

CVE-2026-8701

The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...

CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

CVE-2026-9200

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...

CVE-2026-1543

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1543

CVE-2026-1543 concerns the Avada (Fusion) Builder WordPress plugin. All versions up to and including 3.15.2 are affected by a Stored Cross-Site Scripting (XSS) flaw due to insufficient input sanitization and output escaping. The vulnerability can be exploited by an authenticated attacker with Sub...

CVE-2026-1543 Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Shortcodes

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2026-42394

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-6549

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

CVE-2026-6962 Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...

CVE-2026-6962

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...