EUVD-2026-18971

The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10227

The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkpproduct shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

WordPress affiliate-toolkit plugin <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via atkpproduct Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin affiliate-toolkit versions = 3.6.5...

PT-2024-16126 · WordPress · Affiliate-Toolkit

Name of the Vulnerable Software and Affected Versions: affiliate-toolkit plugin for WordPress versions up to, and including, 3.6.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's atkp product shortcode due to insufficient input sanitization and output escaping on...

Booking.com Product Helper < 1.0.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed When creating a "New product shortcode" you can inject XSS payloads like --! i...

CVE-2021-24226

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the...