Lucene search
K

95 matches found

CVE
CVE
added 2026/07/06 9:15 p.m.10 views

CVE-2026-59710

Showdown (the Showdown library) contains a stored XSS flaw in parseHeaders (src/subParsers/makehtml/tables.js) where table header ID attributes are not properly escaped. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in Markdown table headers...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/06 9:15 p.m.33 views

CVE-2026-59710 showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS0.00198EPSS
Exploits0References4
CVE
CVE
added 2026/07/01 3:43 a.m.15 views

CVE-2026-13246

The CVE concerns GiveWP – Donation Plugin and Fundraising Platform for WordPress (up to version 4.16.0). A Stored XSS exists in the givewp_campaign_comments shortcode (block_id and similar attributes) due to insufficient sanitization and escaping in CampaignCommentsShortcode::parseAttributes() an...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References12
EUVD
EUVD
added 2026/06/27 6:50 a.m.8 views

EUVD-2026-39956

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/19 4:31 a.m.10 views

EUVD-2026-37982

The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient...

6.4CVSS6AI score0.00212EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.11 views

CVE-2026-3659

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

6.4CVSS5.7AI score0.00322EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.13 views

CVE-2026-8847

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6.4CVSS5.7AI score0.00198EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 5:32 a.m.41 views

CVE-2026-9714 Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the showmodule shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmoduleshortcode function, which...

6.4CVSS0.00197EPSS
Exploits0References4
CVE
CVE
added 2026/05/29 5:32 a.m.36 views

CVE-2026-9714

The WordPress plugin Simple Divi Shortcode (versions ≤ 1.2) is affected by a Stored Cross-Site Scripting (XSS) vulnerability via the id attribute of the [showmodule] shortcode. The flaw stems from insufficient input sanitization and output escaping in showmodule_shortcode(), which concatenates th...

6.4CVSS6AI score0.00197EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/29 5:32 a.m.18 views

EUVD-2026-33252

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the showmodule shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmoduleshortcode function, which...

6.4CVSS6AI score0.00197EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/27 5:31 a.m.10 views

CVE-2026-8847 Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6.4CVSS6AI score0.00198EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/27 5:31 a.m.16 views

CVE-2026-8847

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6AI score0.00198EPSS
Exploits0References4
CVE
CVE
added 2026/05/27 5:31 a.m.28 views

CVE-2026-8847

The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...

6.4CVSS6AI score0.00198EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.14 views

PT-2026-43509

The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes 'id' and 'name' in the gplusnamelink...

6.4CVSS6AI score0.00198EPSS
Exploits0References5
NVD
NVD
added 2026/05/26 9:16 p.m.15 views

CVE-2026-44897

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS0.00228EPSS
Exploits1References2
OSV
OSV
added 2026/05/26 9:16 p.m.7 views

UBUNTU-CVE-2026-44897

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in...

6.1CVSS6AI score0.00228EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/09 12:13 a.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTMLRenderer heading rendering path in the HTML renderer. An attacker can inject arbitrary HTML by supplying a heading id attribute value that contains quotes and markup. The rendered output can be alter...

6.1CVSS5.8AI score0.00228EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/08 9:26 a.m.61 views

CVE-2026-7650 E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the e2pdf-download shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode...

6.4CVSS0.00244EPSS
Exploits0References6
CVE
CVE
added 2026/05/02 4:27 a.m.18 views

CVE-2026-4658

The CVE-2026-4658 entry concerns the WordPress plugin Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates (Add-to-Cart block). Affected: all versions up to 6.0.4. Root cause: insufficient output escaping in render_callback() where class and data-id attributes are built via raw ...

6.4CVSS6AI score0.00419EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.34 views

CVE-2026-4089 Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

6.4CVSS0.00288EPSS
Exploits0References5
Rows per page
Query Builder