WordPress GetContentFromURL plugin <= 1.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute vulnerability

Authenticated Contributor+ Server-Side Request Forgery via 'url' Shortcode Attribute vulnerability discovered by Ivan Cese in WordPress Plugin GetContentFromURL versions = 1.0...

CVE-2023-4944

The Awesome Weather Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14121

CVE-2025-14121 affects the WordPress plugin EDD Download Info (EDD Download Info). Affected versions: all up to 1.1. Root cause: insufficient input sanitization and output escaping in the shortcode attribute edd_download_info_link . Impact: Stored Cross-Site Scripting enabling authenticated attac...

CVE-2025-13497

CVE-2025-13497 : The Recras WordPress plugin is affected by a Stored Cross‑Site Scripting (XSS) flaw via the shortcode attribute recrasname . The issue is exploitable by authenticated attackers with at least Contributor privileges to inject web scripts that execute when users visit the injected p...

PT-2026-1635

Name of the Vulnerable Software and Affected Versions My Album Gallery plugin for WordPress versions prior to 1.0.5 Description The My Album Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting through the style css shortcode attribute. Insufficient input sanitization and...

WordPress plugin My Album Gallery 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Snillrik Restaurant plugin <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'menu_style' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'menustyle' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Snillrik Restaurant versions = 2.2.1...

CVE-2025-14153

CVE-2025-14153 is a WordPress plugin vulnerability in Page Expire Popup/Redirection for WordPress. The issue is a time-based SQL Injection via the shortcod e attribute id in versions up to 1.0, caused by insufficient escaping and lack of proper query preparation. Exploitation requires authenticat...

WordPress WishSuite plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttontext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WishSuite versions = 1.5.1...

CVE-2025-13963 FX Currency Converter <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxccconvert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-13840 BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute

The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazusearch' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-13840

CVE-2025-13840 — Bukazu Search Widget (WordPress) Vulnerability: Stored XSS via the shortcodes attribute of bukazu_search. Exploitation requires authentication at Contributor level or higher. Impact: injected scripts execute when users load the affected page. Affected versions: all versions up to...

CVE-2025-13969 Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute

The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the reviews-slider shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

WordPress VigLink SpotLight By ShortCode plugin <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'float' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin VigLink SpotLight By ShortCode versions = 1.0.a...

WordPress BUKAZU Search widget plugin <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin BUKAZU Search widget versions = 3.3.2...

WordPress Paypal Payment Shortcode plugin <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttomimage' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Paypal Payment Shortcode versions = 1.01...

WordPress LJUsers plugin <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin LJUsers versions = 1.2.0...

CVE-2025-13656

CVE-2025-13656 (Cute News Ticker, WordPress) is a stored cross-site scripting vulnerability in the Cute News Ticker plugin (WordPress) affecting versions up to 1.0. It stems from insufficient input sanitization and output escaping of the color shortcode attribute, allowing an authenticated attack...

CVE-2025-13898 Ultra Skype Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_id' Shortcode Attribute

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnid' parameter of the ultraskype shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...