8416 matches found
CVE-2026-6236
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
CVE-2026-5748 Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute
The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ts shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2026-5748
CVE-2026-5748 describes a Stored Cross-Site Scripting vulnerability in the Text Snippets WordPress plugin (versions up to 0.0.1) where the ts shortcode attribute is not properly sanitized/escaped. Authenticated attackers with contributor-level access can inject scripts into pages, which execute f...
CVE-2026-4085
Summary: CVE-2026-4085 affects the Easy Social Photos Gallery WordPress plugin (versions up to 3.1.2). The vulnerability is a Stored XSS via the wrapper_class attribute of the my-instagram-feed shortcode, caused by using sanitize_text_field() instead of escaping with esc_attr() when outputting in...
CVE-2026-4085 Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute
The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapperclass' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user...
CVE-2026-6246 Simple Random Posts Shortcode <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'container_right_width' Shortcode Attribute
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'containerrightwidth' attribute of the 'simplerandomposts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-4125
The CVE-2026-4125 entry describes a Stored XSS in the WPMK Block WordPress plugin (versions up to 1.0.1) where the user-supplied shortcode attribute 'class' is concatenated into an HTML class attribute without escaping, enabling exploitation by authenticated contributors+. The root cause is insuf...
CVE-2026-4125 WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-4125 WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-4125
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-5767 SlideShowPro SC <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'album' Shortcode Attribute
The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slideShowProSC shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-4089
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
CVE-2026-5767
The CVE-2026-5767 entry concerns the WordPress SlideShowPro SC plugin (vulnerable up to 1.0.2). It enables a Stored Cross-Site Scripting flaw through the slideShowProSC shortcode’s album attribute, allowed for authenticated users with contributor-level access and above. The vulnerability arises f...
CVE-2026-4076
Slider Bootstrap Carousel (WordPress)
CVE-2026-4126
Summary: The WordPress Table Manager plugin (v1.0.0 and earlier) is vulnerable to sensitive data exposure via the table shortcode. The handler uses a user-controlled table attribute, only applies sanitize_key(), and concatenates the value with $wpdb->prefix to form a full table name, then exec...
CVE-2026-4126 Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'tablemanager' shortcode. The shortcode handler tablemanagerrendertableshortcode takes a user-controlled table attribute, applies only sanitizekey for...
CVE-2026-4076 Slider Bootstrap Carousel <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribute...
CVE-2026-4076
The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribute...