CVE-2026-9714 Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the showmodule shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmoduleshortcode function, which...

CVE-2026-7650

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the e2pdf-download shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode...

CVE-2026-43107

A flaw was found in the Linux kernel's xfrm subsystem. A remote attacker could send a specially crafted netlink message that, due to an incorrect size calculation when handling XFRMAIFID attributes, would lead to a buffer overflow. This issue could cause a kernel panic, resulting in a Denial of...

EUVD-2026-27624

In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMAIFID in aevent size calculation xfrmgetae allocates the reply skb with xfrmaeventmsgsize, then buildaevent appends attributes including XFRMAIFID when x-ifid is set. xfrmaeventmsgsize does not include space for...

CVE-2026-3498

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-4084

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

CVE-2026-4077

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode...

WordPress The Bucketlister plugin <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes vulnerability

Authenticated Contributor+ SQL Injection via category and id Shortcode Attributes vulnerability discovered by Ivan Cese in WordPress Plugin The Bucketlister versions = 0.1.5...

CVE-2026-1189

CVE-2026-1189 affects LeadBI Plugin for WordPress. All versions up to and including 1.7 are vulnerable to stored cross-site scripting via the form_id attribute of the leadbi_form shortcode. Exploitation requires authenticated access at Contributor level or higher; an attacker can inject script in...

CVE-2025-11804

CVE-2025-11804 affects the WordPress plugin JB News Ticker. The vulnerability is a Stored Cross-Site Scripting flaw exploitable via the id attribute of the jbticker shortcode, present in all versions up to 1.0. It requires authenticated access at contributor level or higher, enabling an attacker ...

CVE-2024-5664

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute within the plugin's sonaaraudioplayer shortcode in all versions up to, and including, 5.5 due to insufficient input sanitization and outpu...

WordPress plugin Page scroll to id 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

CLSA-2022-1647261009 Fix of CVE: CVE-2022-23308

CVE-2022-23308: fix use-after-free of ID and IDREF attributes...

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

...

ALPINE-CVE-2022-23308

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes...