PT-2023-31863 · WordPress · Modal Window

Name of the Vulnerable Software and Affected Versions: The Modal Window plugin for WordPress versions up to, and including, 5.3.5 Description: The issue is related to Stored Cross-Site Scripting via shortcodes due to insufficient input sanitization and output escaping on user-supplied attributes...

WordPress plugin Easy Registration Forms Information Disclosure Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. An information disclosure vulnerability...

WordPress Memberlite Shortcodes Plugin < 1.3.9 is vulnerable to Cross Site Scripting (XSS)

Software Memberlite Shortcodes Type Plugin Vulnerable versions 1.3.9 Fixed in 1.3.9 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE N/A Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9771f4488b86 Credits Unknown Required privilege...

Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. msalert...

Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC msalert...

CVE-2023-4838

The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible...

CVE-2023-4838

The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible...

PT-2023-32827 · WordPress · User Shortcodes Plus

Name of the Vulnerable Software and Affected Versions: User Shortcodes Plus plugin for WordPress versions up to, and including, 2.0.2 Description: The issue is related to Insecure Direct Object Reference, which affects the user meta shortcode due to missing validation on a user-controlled key. Th...

WordPress Rescue Shortcodes Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)

Software Rescue Shortcodes Type Plugin Vulnerable versions = 2.5 Fixed in 2.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-41728 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e35ae9ed3dd7 Credits yuyudhn Required privileg...

CVE-2023-4718 Font Awesome 4 Menus <= 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Server side request forgery (ssrf)

The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network...

WordPress Plugin Tiempo.com 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

PT-2023-17385 · WordPress · Booking Manager

Name of the Vulnerable Software and Affected Versions: The Booking Manager WordPress plugin versions prior to 2.0.29 Description: The issue concerns a lack of validation for URLs input in the admin panel or in shortcodes for showing events from a remote .ics file. This allows an attacker with...

WordPress WordPress Schema Plugin For Divi, Gutenberg & Shortcodes Plugin < 4.0.3 is vulnerable to Cross Site Scripting (XSS)

Software WordPress Schema Plugin For Divi, Gutenberg & Shortcodes Type Plugin Vulnerable versions 4.0.3 Fixed in 4.0.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID ec35450c6ae5...

WordPress Shortcodes Ultimate Plugin <= 5.13.0 is vulnerable to Cross Site Scripting (XSS)

Software Shortcodes Ultimate Type Plugin Vulnerable versions = 5.13.0 Fixed in 5.13.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 568e2ac38f7b Credits Rafie Muhammad Patchstack...

CVE-2022-4623

The ND Shortcodes WordPress plugin before 7.0 does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-1273

The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...

CVE-2023-1273

The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...

Cross site scripting

The ND Shortcodes WordPress plugin before 7.0 does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-1273 ND Shortcodes < 7.0 - Subscriber+ LFI

The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks...