5 matches found
CVE-2026-8895
CVE-2026-8895 affects the WordPress plugin kk blog card up to version 1.3. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) in the plugin’s blog-card shortcode, caused by insufficient sanitization and output escaping of the shortcode’s href and type attributes. These values are con...
CVE-2023-4035
The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-4035 Simple Blog Card < 1.31 - Contributor+ Stored XSS via Shortcode
The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones PoC Run the below command in the developer...
WordPress Simple Blog Card Plugin < 1.32 is vulnerable to Sensitive Data Exposure
Software Simple Blog Card Type Plugin Vulnerable versions 1.32 Fixed in 1.32 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE N/A Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID e0b1d4664953 Credits N/A Required privilege Subscriber...