CVE-2026-8871 Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kineticlink' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notably 'window', 'class', an...

EUVD-2026-32076

The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kineticlink' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notably 'window', 'class', an...

CVE-2026-8871

The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kineticlink' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notably 'window', 'class', an...

CVE-2026-6646

The CVE concerns The7 Theme for WordPress (versions up to and including 14.3.2). A Stored Cross-Site Scripting vulnerability exists in the dt_default_button shortcode due to insufficient input sanitization and output escaping of the title component within the link shortcode parameter. This allows...

CVE-2026-6646 The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 'link' Parameter

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dtdefaultbutton' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it...

CVE-2025-11185

CVE-2025-11185 concerns the WordPress plugin “Complianz – GDPR/CCPA Cookie Consent”. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) via the plugin’s cmplz-accept-link shortcode, arising from insufficient input sanitization and output escaping on user-supplied attributes. It affec...

CVE-2025-10139

The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bwlink' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-10139

CVE-2025-10139 concerns the WordPress plugin WP BookWidgets. According to Wordfence, it is vulnerable to a stored cross-site scripting (XSS) condition via the plugin’s bw_link shortcode in versions up to and including 0.9, caused by insufficient input sanitization and output escaping of user-supp...

CVE-2024-5485

The SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Trigger Link shortcode in all versions up to, and including, 1.0.47 due to insufficient input sanitization and output escaping on user...

PT-2025-1956 · WordPress · Etsy Importer

Name of the Vulnerable Software and Affected Versions: Etsy Importer plugin for WordPress versions up to, and including, 1.4.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the product lin...

WordPress CF Internal Link Shortcode 1.1.0 SQL Injection

WordPress CF Internal Link Shortcode plugin versions 1.1.0 and below suffer from a remote SQL injection vulnerability. CVE-2024-12404 CF Internal Link Shortcode = 1.1.0 - Unauthenticated SQL Injection Description The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection v...

CVE-2024-12404

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2024-12404 CF Internal Link Shortcode <= 1.1.0 - Unauthenticated SQL Injection

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2024-12404

CVE-2024-12404 : CF Internal Link Shortcode for WordPress is vulnerable to an unauthenticated SQL Injection via the post_title parameter in versions up to 1.1.0 due to insufficient escaping and poor query preparation. This could allow an attacker to append additional SQL commands to existing quer...

CVE-2024-12404 CF Internal Link Shortcode <= 1.1.0 - Unauthenticated SQL Injection

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

WordPress plugin CF Internal Link Shortcode SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A SQL injection vulnerability exists in WordPress plug...

WordPress CF Internal Link Shortcode plugin <= 1.1.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Frissi0n in WordPress Plugin CF Internal Link Shortcode versions = 1.1.0...

PT-2024-16091 · WordPress · Beds24 Online Booking

Name of the Vulnerable Software and Affected Versions: Beds24 Online Booking plugin for WordPress versions up to, and including, 2.0.26 Description: The issue is related to Stored Cross-Site Scripting via the plugin's beds24-link shortcode due to insufficient input sanitization and output escapin...

CVE-2024-10187

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycredlink shortcode in all version...

CVE-2024-5536

The GamiPress – Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gamipresslink shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...