CVE-2026-8873

The CVE-2026-8873 entry concerns the Content Slideshow WordPress plugin (versions up to 2.4.1). The vulnerability is a Stored Cross-Site Scripting (XSS) via Shortcode Attributes caused by insufficient input sanitization and output escaping. Attackers with contributor-level access and above can in...

EUVD-2026-32078

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

CVE-2026-8891

The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...

CVE-2026-8872 Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the...

CVE-2026-8866

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...

CVE-2026-8701

The CVE-2026-8701 entry describes a Stored XSS in the WordPress plugin GNTT Post Title Ticker (versions

EUVD-2026-32066

The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...

CVE-2026-8887

The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...

EUVD-2026-32063

The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

EUVD-2026-32061

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbitoprintshortcode function, which concatenates the raw shortcode attribute value directly...

CVE-2026-8703 Endless Scroll <= 1.0.0 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access a...

CVE-2026-8837

The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-8698 Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the asgetcoinshortcode function, which renders the 'width' and 'height' shortcode attribute directly into the style attribut...

EUVD-2026-32053

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

CVE-2026-8877

The CVE-2026-8877 entry concerns the WordPress plugin Responsive Video Embedder (

PT-2026-44141

Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom file excerpt filter. This filter renders PHP files via highlight string which escapes HTML, but renders non-PHP files by splitting on and interpolating each line directly...

PT-2026-43504

The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

WordPress plugin myLinksDump 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

WordPress plugin jQuery googleslides 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress plugin MinhNhut Link Gateway 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...