3119 matches found
CVE-2026-2951
CVE-2026-2951 affects the Gutentor – Gutenberg Blocks – Page Builder for WordPress (WordPress plugin). The vulnerability is a Stored Cross-Site Scripting flaw in versions up to and including 3.5.5 caused by insufficient input sanitization and output escaping in Gutentor blocks. This enables authe...
CVE-2026-4125 WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...
CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...
PT-2026-34303
Name of the Vulnerable Software and Affected Versions SlideShowPro SC versions prior to 1.0.3 Description The SlideShowPro SC plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes withi...
CVE-2026-2505
The CVE-2026-2505 entry concerns the WordPress Categories Images plugin (versions
PT-2026-33602
Name of the Vulnerable Software and Affected Versions Contextual Related Posts versions prior to 4.2.2 Description The Contextual Related Posts plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary w...
EUVD-2025-209491
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'putwpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on...
CVE-2026-3875
The BetterDocs WordPress plugin is vulnerable to Stored Cross-Site Scripting via the betterdocs_feedback_form shortcode attributes in all versions up to 4.3.8. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, allowing authenticated attac...
CVE-2026-1620 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the laegettemplatepart function, which uses an inadequate strreplace approach that can...
CVE-2026-1620 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the laegettemplatepart function, which uses an inadequate strreplace approach that can...
CVE-2026-3885
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'subox' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-3299 WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode
The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute
The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...
12 Step Meeting List < 3.19.10 - Missing Authorization
Description The 12 Step Meeting List plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.19.9. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an...
CVE-2026-4059
CVE-2026-4059 (ShopLentor WordPress plugin) is a Stored Cross-Site Scripting vulnerability affecting all versions up to 3.3.5. The issue arises from insufficient input sanitization and missing output escaping on the woolentor_quickview_button shortcode’s button_text attribute, allowing authentica...
CVE-2026-4057
CVE-2026-4057 is reserved; connected document reveals a concrete vulnerability in WordPress Plugin Download Manager (versions
EUVD-2024-47052
The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
EUVD-2024-46946
The Infinite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘projecturl’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an...
EUVD-2026-20034
The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the group attribute in the gallery shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the group attribute value without proper...
CVE-2026-3513 TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableonbutton' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...