CVE-2026-8870

The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

PT-2026-43514

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...

EUVD-2026-23212

The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismaticencoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismaticdecode'...

CVE-2015-9496

The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FMform id=' substring...

PT-2023-15000 · WordPress · Rate My Post

Name of the Vulnerable Software and Affected Versions: Rate my Post WordPress plugin versions prior to 3.3.9 Description: The issue concerns a lack of validation and escaping of a shortcode attribute, potentially allowing users with a role as low as contributor to perform a Stored Cross-Site...