CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

EUVD-2026-32089

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8847

The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...

CVE-2026-8847 Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

CVE-2026-8847 Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8847

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

CVE-2026-8894 iWR Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's iwrtooltip shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the iwrtooltip shortcode handler — the...

CVE-2026-8845 Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...

CVE-2026-8845

CVE-2026-8845 : The WordPress Islamic Database plugin (versions

EUVD-2026-32081

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...

EUVD-2026-32078

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

CVE-2026-8891

The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...

CVE-2026-8048 My Email Shortcode <= 0.91 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2026-8048

The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2026-8048

The CVE-2026-8048 entry concerns the WordPress plugin My Email Shortcode. Affected: plugin versions up to and including 0.91. Vulnerability: Stored Cross-Site Scripting via the subject attribute of the my-email shortcode, caused by insufficient input sanitization and output escaping. Impact: auth...

CVE-2026-8869 Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfdshortcode...

CVE-2026-8869

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfdshortcode...

CVE-2026-8869

CVE-2026-8869 : The WordPress plugin Mutual Funds Data (versions &lt;= 1.2.1) is vulnerable to Stored Cross-Site Scripting via the shortcodes’ title attribute. The root cause is insufficient input sanitization and output escaping in the mfd_shortcode() function, where the user-supplied title is c...

CVE-2026-8869 Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfdshortcode...