EUVD-2026-35305

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancartbutton shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...

EUVD-2026-33254

The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carouseldirection' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render function, where the...

CVE-2026-4790

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customsvg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible fo...

EUVD-2026-24690

The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the cihubmetadata shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

CVE-2026-4089

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

CVE-2026-4011

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the...

CVE-2026-1607

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

EUVD-2026-20045

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learnpresscourses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode...

PT-2026-31286

Name of the Vulnerable Software and Affected Versions PrivateContent Free versions up to and including 1.2.0 Description The PrivateContent Free plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'align' shortcode attribute within the pc-login-form shortcode. This occu...

CVE-2025-13535

The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. T...

CVE-2026-1886

The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin'...

CVE-2026-4067

CVE-2026-4067: The Ad Short WordPress plugin (≤ v2.0.1) is vulnerable to Stored XSS via the ad shortcode’s client attribute due to insufficient input sanitization and missing escaping when constructing the data-ad-client attribute. The ad_func() handler reads the client attribute with shortcode_a...

CVE-2026-0550

The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycredloadcoupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13887

The AI BotKit – AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the aibotkitwidget shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-15058

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tablecurrency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-1635

Name of the Vulnerable Software and Affected Versions My Album Gallery plugin for WordPress versions prior to 1.0.5 Description The My Album Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the style css shortcode attribute. Insufficient input sanitization and...

CVE-2025-8199

The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-47704

The WPSite Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the wpsite y shortcode and the 'before' attribute in the wpsite postauthor shortcode in all versions up to, and including, 1.2. This is due to insufficient input...

CVE-2025-12823

The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

PT-2025-44577

Name of the Vulnerable Software and Affected Versions Qzzr Shortcode Plugin for WordPress versions prior to 1.0.2 Description The Qzzr Shortcode Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'qzzr' shortcode. This is a result of inadequate input sanitization and...