CVE-2022-1910

The CVE-2022-1910 is tied to the WordPress Shortcodes and Extra Features for Phlox plugin (pre-2.9.8). The NUCLEI template confirms a cross-site scripting flaw where the plugin does not sanitize/escape a parameter before echoing it in the response. This allows an attacker to inject arbitrary scri...

WordPress plugin Shortcodes and extra features for Phlox 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. WordPress Shortcodes and extra features for Phlox plugin versions prior to 2.9.8 contain a...

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.9.7 - Reflected Cross-Site-Scripting (XSS) vulnerability

Reflected Cross-Site-Scripting XSS vulnerability discovered by cydave in WordPress Shortcodes and extra features for Phlox theme plugin versions = 2.9.7. Solution Update the WordPress Shortcodes and extra features for Phlox theme plugin to the latest available version at least 2.9.8...

WordPress "WordPress Schema Plugin For Divi, Gutenberg & Shortcodes" plugin <= 3.6.0 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress "WordPress Schema Plugin For Divi, Gutenberg & Shortcodes" plugin versions = 3.6.0. Solution No patched version available...

CVE-2022-24663

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

CVE-2022-24663

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

Code injection

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

CVE-2022-24663

CVE-2022-24663 affects the WordPress PHP Everywhere plugin (versions

CVE-2022-24663

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

Critical remote code execution vulnerabilities in WordPress PHP everywhere Plugin

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Three critical remote code execution RCE vulnerabilities in a WordPress plugin PHP everywhere have been discovered. It is a plugin that allows web developers to utilize PHP code in pages, posts, the sidebar, or anywhere on...

VulnCheck KEV: CVE-2017-14726

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...

Cross site scripting

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode...

WordPress Magee Shortcodes plugin <= 2.0.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Magee Shortcodes plugin versions = 2.0.8. Solution Update the WordPress Magee Shortcodes plugin to the latest available version at least 2.0.9...

Magee Shortcodes < 2.0.9 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape various parameters before outputting them back in attributes in AJAX actions available to both unauthenticated and authenticated users, leading to Reflected Cross-Site Scripting issues...

Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes

The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode. PoC // all spaces must be replaced with a slash sdmdownload...

Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes

The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode. // all spaces must be replaced with a slash sdmdownload...

WordPress User Meta Shortcodes plugin access control error vulnerability

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress User Meta Shortcodes Plugin has an access control error vulnerability that stems from the plugin's User...

CVE-2021-24859

The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes...

CVE-2021-24817

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks...

Cross site scripting

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks...