CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2026-35299

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...

CVE-2026-8883 Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...

CVE-2026-8883 Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...

CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

EUVD-2026-35298

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

CVE-2026-7556

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-5714

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-7556

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-7556

The FV Flowplayer Video Player plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 7.5.49.7212. The issue arises from insufficient input sanitization and output escaping in comment text, allowing unauthenticated attackers to inject web scrip...

CVE-2026-5714 Enable Media Replace <= 4.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-7556 FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-35292

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-35293

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-5714

The CVE-2026-5714 entry concerns the WordPress Enable Media Replace plugin. A stored cross-site scripting vulnerability exists via the location_dir parameter in all versions up to 4.1.8, caused by insufficient input sanitization and output escaping. This allows authenticated attackers with Author...

CVE-2026-7556 FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-5714

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-10862

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...