Lucene search
K

3119 matches found

CVE
CVE
added 2026/04/23 2:25 a.m.12 views

CVE-2026-2951

CVE-2026-2951 affects the Gutentor – Gutenberg Blocks – Page Builder for WordPress (WordPress plugin). The vulnerability is a Stored Cross-Site Scripting flaw in versions up to and including 3.5.5 caused by insufficient input sanitization and output escaping in Gutentor blocks. This enables authe...

5.4CVSS5.9AI score0.00168EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.31 views

CVE-2026-4125 WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...

6.4CVSS0.00288EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.34 views

CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

6.4CVSS0.00288EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.6 views

PT-2026-34303

Name of the Vulnerable Software and Affected Versions SlideShowPro SC versions prior to 1.0.3 Description The SlideShowPro SC plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes withi...

6.4CVSS6AI score0.00227EPSS
Exploits0References6
CVE
CVE
added 2026/04/18 9:26 a.m.20 views

CVE-2026-2505

The CVE-2026-2505 entry concerns the WordPress Categories Images plugin (versions

5.4CVSS5.9AI score0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/18 12:0 a.m.8 views

PT-2026-33602

Name of the Vulnerable Software and Affected Versions Contextual Related Posts versions prior to 4.2.2 Description The Contextual Related Posts plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary w...

6.4CVSS5.9AI score0.00304EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/16 9:31 a.m.6 views

EUVD-2025-209491

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'putwpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on...

6.4CVSS5.9AI score0.00267EPSS
Exploits0References3
CVE
CVE
added 2026/04/16 6:44 a.m.11 views

CVE-2026-3875

The BetterDocs WordPress plugin is vulnerable to Stored Cross-Site Scripting via the betterdocs_feedback_form shortcode attributes in all versions up to 4.3.8. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, allowing authenticated attac...

6.4CVSS5.9AI score0.00218EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/16 6:44 a.m.4 views

CVE-2026-1620 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the laegettemplatepart function, which uses an inadequate strreplace approach that can...

8.8CVSS6AI score0.00816EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/16 6:44 a.m.32 views

CVE-2026-1620 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the laegettemplatepart function, which uses an inadequate strreplace approach that can...

8.8CVSS0.00816EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/16 2:25 a.m.4 views

CVE-2026-3885

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subox' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.0026EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/16 1:24 a.m.28 views

CVE-2026-3299 WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode

The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00214EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/15 7:45 a.m.5 views

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.9AI score0.00248EPSS
Exploits0References3
WPVulnDB
WPVulnDB
added 2026/04/15 12:0 a.m.12 views

12 Step Meeting List < 3.19.10 - Missing Authorization

Description The 12 Step Meeting List plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.19.9. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References1
CVE
CVE
added 2026/04/14 3:37 a.m.13 views

CVE-2026-4059

CVE-2026-4059 (ShopLentor WordPress plugin) is a Stored Cross-Site Scripting vulnerability affecting all versions up to 3.3.5. The issue arises from insufficient input sanitization and missing output escaping on the woolentor_quickview_button shortcode’s button_text attribute, allowing authentica...

6.4CVSS5.9AI score0.00296EPSS
Exploits0References7
CVE
CVE
added 2026/04/10 1:24 a.m.16 views

CVE-2026-4057

CVE-2026-4057 is reserved; connected document reveals a concrete vulnerability in WordPress Plugin Download Manager (versions

4.3CVSS5.9AI score0.00373EPSS
Exploits0References7
EUVD
EUVD
added 2026/04/08 9:32 p.m.4 views

EUVD-2024-47052

The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS6.1AI score0.00332EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/08 6:33 p.m.3 views

EUVD-2024-46946

The Infinite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘projecturl’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an...

6.4CVSS6.1AI score0.00335EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/08 6:31 a.m.5 views

EUVD-2026-20034

The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the group attribute in the gallery shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the group attribute value without proper...

6.4CVSS6.1AI score0.00264EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/08 3:36 a.m.20 views

CVE-2026-3513 TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute

The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableonbutton' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS0.00264EPSS
Exploits0References6
Rows per page
Query Builder