1867 matches found
CVE-2026-9125
Summary: CVE-2026-9125 affects the Presto Player plugin for WordPress (up to version 4.2.0). The root cause is insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme va...
PT-2026-48818
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link url' parameter of the presto player overlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which...
CVE-2025-8444
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. Th...
CVE-2026-7662
The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the epaperflipembed shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute whic...
CVE-2026-8677
CVE-2026-8677 affects the Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress. All versions up to 1.3.3 are susceptible to Stored Cross-Site Scripting via Widget HTML Tag Settings due to insufficient input sanitization and output escaping. Exploitation req...
CVE-2026-8895 kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are...
CVE-2026-8882
CVE-2026-8882 affects the WP ApplicantStack Jobs Display WordPress plugin (versions up to 1.1.1). The vulnerability is a Stored Cross-Site Scripting via Shortcode Attributes caused by insufficient input sanitization and output escaping, exploitable by authenticated users with contributor-level ac...
CVE-2026-8882 WP ApplicantStack Jobs Display <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-7662
CVE-2026-7662 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin ePaperFlip Publisher (versions
CVE-2026-7662 ePaperFlip Publisher <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute
The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the epaperflipembed shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute whic...
CVE-2026-8880 RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancartbutton shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-8883
The CVE-2026-8883 entry concerns the WordPress plugin Global Body Mass Index Calculator, affected in versions up to 1.2. The vulnerability is a Stored Cross-Site Scripting issue via the gbmicalc shortcode attributes, caused by insufficient input sanitization and output escaping in GBMI_Calc_Widge...
CVE-2026-8883 Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...
CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...
PT-2026-47636
Name of the Vulnerable Software and Affected Versions TinyMCE shortcode Addon plugin for WordPress versions prior to 1.0.1 Description Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting...
PT-2026-47677
Name of the Vulnerable Software and Affected Versions kk blog card versions prior to 1.4 Description The kk blog card plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the plugin fails to properly sanitize input and escape output for the href and type attribut...
PT-2026-47725
Name of the Vulnerable Software and Affected Versions Prime Elementor Addons versions prior to 1.3.4 Description Insufficient input sanitization and output escaping in the Widget HTML Tag Settings allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site...
CVE-2026-7796
Technical details (affected plugin version, root cause, exploit specifics) are not provided in the supplied documents; monitor for updates.