WordPress Shortcodes Ultimate plugin <= 5.10.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Shortcodes Ultimate plugin versions = 5.10.1. Solution Update the WordPress Shortcodes Ultimate plugin to the latest available version at least 5.10.2...

Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS

The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design like subutton's onclick attribute...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists i...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists i...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists i...

Simple Sort&Search <= 0.0.3 - Ccontributor+ Stored XSS

The plugin does not make sure that the indexurl parameter of the shortcodes "categorysims", "ordersims", "orderbysims", "periodsims", and "tagsims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor PoC As a contributor, add one of...

Simple Sort&Search <= 0.0.3 - Ccontributor+ Stored XSS

The plugin does not make sure that the indexurl parameter of the shortcodes "categorysims", "ordersims", "orderbysims", "periodsims", and "tagsims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor As a contributor, add one of the...

CVE-2021-24221

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to...

CVE-2020-7107

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via DisplayFAQ to Shortcodes/DisplayFAQs.php...

CVE-2020-7107

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via DisplayFAQ to Shortcodes/DisplayFAQs.php...

CVE-2020-7107

The WordPress plugin Ultimate FAQ (WordPress plugin) prior to version 1.8.30 is vulnerable to Cross-Site Scripting (XSS) via the Display_FAQ parameter routed through Shortcodes/DisplayFAQs.php. The issue stems from insufficient sanitization of the Display_FAQ GET parameter, enabling an attacker t...

Cross site scripting

The events-manager plugin through 5.9.5 for WordPress aka Events Manager is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute mapstyle of shortcodes locationsmap and eventsmap provided by the plugin...

CVE-2019-16523

The CVE refers to the WordPress Events Manager plugin (up to v5.9.5) being vulnerable to Stored XSS via improper encoding/insertion of data provided to the map_style attribute of the locations_map and events_map shortcodes. Root cause: insufficient encoding of user-controlled input embedded into ...

CVE-2019-16523

The events-manager plugin through 5.9.5 for WordPress aka Events Manager is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute mapstyle of shortcodes locationsmap and eventsmap provided by the plugin...

PT-2019-14685 · WordPress · Events Manager

Name of the Vulnerable Software and Affected Versions: Events Manager plugin versions through 5.9.5 Description: The issue arises from improper encoding and insertion of data provided to the map style attribute of shortcodes, specifically locations map and events map, leading to Stored XSS...

CVE-2015-9421

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omscpopup id parameter...

Cross site request forgery (csrf)

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omscpopup id parameter...

CVE-2015-9421

The CVE refers to the Olevmedia Shortcodes WordPress plugin. It is affected by a CSRF-induced XSS vulnerability in versions before 1.1.9, exploitable via wp-admin/admin-ajax.php?action=omsc_popup id parameter. The issue arises from a CSRF weakness that can trigger script execution in the context ...

CVE-2015-9421

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omscpopup id parameter...

CVE-2016-10996

The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak...