10 matches found
CVE-2026-8866
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...
CVE-2026-2305 AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the aFhfcheadcode, aFhfcbodycode, and aFhfcfootercode post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or...
CVE-2026-1908
The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
EUVD-2025-23604
Malicious code in bioql PyPI...
CVE-2025-7654
Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wfgetcookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make...
CVE-2025-5753
The Valuation Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...
PT-2025-27072 · WordPress · Ninja Forms
Name of the Vulnerable Software and Affected Versions: Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress versions up to, and including, 3.10.2.1 Description: The issue is related to Stored Cross-Site Scripting via the use of a templating engine due to insufficient...
CVE-2024-8282
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:ive/ive-productscarousel' Gutenberg block in all versions up to, and including, 1.2.4.4 due to insufficient input sanitization and output escaping. Thi...
CVE-2025-4099
The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listchildren' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2023-16302 · WordPress · F(X) Toc Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: fx TOC WordPress plugin versions 1.1.0 and earlier Description: The issue concerns the fx TOC WordPress plugin, which does not properly validate and escape some of its shortcode attributes before outputting them in a page or post. This could...