Lucene search
K

3113 matches found

NVD
NVD
added 2026/03/21 4:16 a.m.3 views

CVE-2026-1899

The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's apsslider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'posttype' attribute. This makes it possible for authenticated...

6.4CVSS0.00236EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.28 views

CVE-2026-1275 Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute

The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the...

6.4CVSS0.00235EPSS
Exploits0References3
CVE
CVE
added 2026/03/21 3:26 a.m.6 views

CVE-2026-3617

The CVE-2026-3617 entry concerns the Paypal Shortcode plugin for WordPress, with Stored Cross-Site Scripting in all versions up to 0.3. The root cause is insufficient input sanitization and output escaping of user-supplied shortcode attributes (amount and name). The swer_paypal_shortcode() functi...

6.4CVSS6AI score0.00201EPSS
Exploits0References7
CVE
CVE
added 2026/03/21 3:26 a.m.10 views

CVE-2026-1313

The MimeTypes Link Icons plugin for WordPress (vulnerable up to 3.2.20) is affected by a Server-Side Request Forgery. The root cause is outbound HTTP requests to user-controlled URLs made without proper validation when the “Show file size” option is enabled. Authenticated attackers with Contribut...

8.3CVSS5.9AI score0.00316EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.28 views

CVE-2026-3996 WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the game shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src',...

6.4CVSS0.00235EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.2 views

CVE-2026-1891 Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmrfbscoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.28 views

CVE-2026-4084 fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

6.4CVSS0.0025EPSS
Exploits0References13
CVE
CVE
added 2026/03/21 3:26 a.m.6 views

CVE-2026-1093

The CVE concerns the WPFAQBlock– FAQ & Accordion Plugin For Gutenberg (WordPress). It describes a Stored Cross-Site Scripting (XSS) flaw in the shortCode attribute “class” of wpfaqblock, affecting all versions up to and including 1.1. The underlying cause is insufficient input sanitization and ou...

6.4CVSS6AI score0.00243EPSS
Exploits0References4
CVE
CVE
added 2026/03/21 3:26 a.m.8 views

CVE-2026-4077

The CVE-2026-4077 entry concerns the WordPress plugin Ecover Builder For Dummies . It reports a Stored Cross‑Site Scripting (XSS) vulnerability in the id attribute of the ecover shortcode, affecting all versions up to 1.0. The root cause is insufficient input sanitization and output escaping for ...

6.4CVSS6AI score0.00201EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.1 views

CVE-2026-1854 Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute

The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS6AI score0.00243EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.27 views

CVE-2026-4086 WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

6.4CVSS0.00193EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.1 views

CVE-2026-4086 WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

6.4CVSS6AI score0.00193EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.4 views

PT-2026-26861

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer...

6.4CVSS6AI score0.00201EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/03/20 11:25 p.m.3 views

CVE-2026-2430 Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the addlazyload function that replaces all occurrences of \ssr...

6.4CVSS6AI score0.00198EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/20 11:25 p.m.3 views

CVE-2026-4083 Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...

6.4CVSS6AI score0.00206EPSS
Exploits0References8
CVE
CVE
added 2026/03/18 6:0 a.m.18 views

CVE-2025-15363

CVE-2025-15363 refers to the WordPress plugin Get Use APIs – JSON Content Importer (

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/18 6:0 a.m.28 views

CVE-2025-15363 Get Use APIs < 2.0.10 - Contributor+ Stored XSS

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations...

0.0014EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.9 views

WordPress plugin Get Use APIs 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There wa...

5.9CVSS5.9AI score0.0014EPSS
Exploits0References1
CVE
CVE
added 2026/03/07 7:22 a.m.21 views

CVE-2026-1569

CVE-2026-1569 describes a stored XSS in the WordPress plugin Wueen (versions

6.4CVSS5.9AI score0.00159EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/07 5:46 a.m.34 views

CVE-2025-8899 Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation

The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisperregisterform function not restricting user roles that can be set during registration. This makes it possible...

8.8CVSS0.0037EPSS
Exploits0References3
Rows per page
Query Builder