224938 matches found
CVE-2026-8701
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8941
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8941
The CVE concerns the WordPress plugin CDN Linker lite (
EUVD-2026-32067
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8701
The CVE-2026-8701 entry describes a Stored XSS in the WordPress plugin GNTT Post Title Ticker (versions
CVE-2026-8943
GoStats for WordPress plugin for WordPress is vulnerable to Cross‑Site Request Forgery in all versions up to 1.4 due to missing or incorrect nonce validation in gostats_manage(). This allows unauthenticated attackers to modify settings (gostats_siteid, gostats_server) via forged requests if a sit...
CVE-2026-8941 CDN Linker lite <= 1.3.1 - Cross-Site Request Forgery to Plugin Settings Update
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8701 GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
EUVD-2026-32066
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8897 Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...
CVE-2026-8887 Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...
EUVD-2026-32065
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...
EUVD-2026-32064
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...
CVE-2026-8887
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...
CVE-2026-8897
Shortcode Buddy for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in versions ≤ 0.1.9.5 due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary scripts on pages, which execut...
CVE-2026-8887
The CVE-2026-8887 entry concerns the WordPress Listen Shortcode plugin (versions up to 1.0). The flaw is a Stored XSS in the listenEmbedJS() function where user-supplied attributes (src, start, end) are echoed inside a single-quoted HTML attribute without proper escaping, enabling authenticated a...
CVE-2026-9200 Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...
EUVD-2026-32061
The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbitoprintshortcode function, which concatenates the raw shortcode attribute value directly...
CVE-2026-8870 Team Master <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-9200 Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...