8486 matches found
CVE-2026-1853
CVE-2026-1853 : The BuddyHolis ListSearch plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (SXSS) via the plugin’s shortcodes. In versions up to and including 1.1, insufficient input sanitization and output escaping on user-supplied attributes enables an attacker with at least ...
CVE-2026-1885 Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-1804 WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1885
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-1804 WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1885
The CVE-2026-1885 issue affects the WordPress Slideshow Wp plugin (versions up to 1.1). It is a Stored Cross-Site Scripting (XSS) vulnerability via the sswpid attribute of the sswp-slide shortcode, caused by insufficient input sanitization/output escaping. Exploitation requires authenticated acce...
CVE-2026-1804
CVE-2026-1804 concerns the WDES Responsive Popup WordPress plugin (versions
CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...
WordPress Slideshow Wp plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Slideshow Wp versions = 1.1...
WordPress Sudoku Shortcode plugin <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute vulnerability
Authenticated Contributor+ Cross-Site Scripting via 'background' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Sudoku Shortcode versions = 1.0.0...
WordPress Orbisius Random Name Generator plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'btnlabel' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Orbisius Random Name Generator versions = 1.0.2...
CVE-2026-1922
The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-1922 The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-1922
CVE-2026-1922 : The Events Calendar Shortcode & Block plugin for WordPress contains a stored XSS vulnerability in the ecs-list-events shortcode, via the message attribute. It affects all versions up to 3.1.2 and arises from insufficient input sanitization and output escaping on user-supplied attr...
PT-2026-7247
The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...
Axios 代码问题漏洞
Axios is an open-source HTTP client developed by Axios. Versions of Axios prior to 1.13.5 had code vulnerabilities. These vulnerabilities stemmed from a crash that occurred when the mergeConfig function processed configuration objects containing the proto attribute, which could lead to a...
PowerDocu 代码问题漏洞
PowerDocu is a canvas generation software developed by Rene Modery. Versions of PowerDocu prior to 2.4.0 had code vulnerabilities. These vulnerabilities stemmed from blindly trusting the $type attribute during the parsing of JSON files, which could lead to code execution...
CVE-2026-25650
MCP Salesforce Connector is a Model Context Protocol MCP server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10...
RLSA-2025:18285 Important: firefox security update
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: thunderbird: firefox: Memory safety bugs CVE-2025-11714 thunderbird: firefox: Out of bounds read/write in a privileged process triggered by WebGL textures CVE-2025-11709...
CVE-2025-15477 The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes
The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode category and id attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This...