CVE-2026-4125

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...

CVE-2025-3650 jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators...

CVE-2024-2953

The LuckyWP Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor permissio...

CVE-2024-2697

The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against...

WordPress Parallax Image plugin <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via dd-parallax Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Parallax Image versions = 1.8...

Zoho Forms < 3.0.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, put the following in a bl...

PT-2023-14495 · WordPress · 3D Flipbook Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: 3D FlipBook WordPress plugin versions 1.13.2 and earlier Description: The issue concerns the 3D FlipBook WordPress plugin, which does not validate or escape some of its shortcode attributes before outputting them back in the page. This could...

PDF.js Viewer < 2.1.8 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. pdfjs-viewer viewerheight='"...

Game Server Status <= 1.0 - Contributor+ SQL Injection

The plugin does not validate or escape the server id shortcode attribute before using it in a SQL statement, allowing any user with a role as low as contributor to perform SQL Injection attacks As a contributor or above, put the below shortcode in a page/post and view/preview it game-servers...

Page View Counts < 2.4.9 - Contributor+ Stored XSS

The plugin does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege user...