CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/27 5:31 a.m.•8 views

EUVD-2026-32061

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbitoprintshortcode function, which concatenates the raw shortcode attribute value directly...

Cvelist•added 2026/05/27 5:31 a.m.•29 views

CVE-2026-8702 GBI To Print <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'div' Shortcode Attribute

6.4CVSS0.00156EPSS

Cvelist•added 2026/05/27 5:31 a.m.•31 views

CVE-2026-9200 Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...

7.5CVSS0.00495EPSS

ATTACKERKB•added 2026/05/27 5:31 a.m.•5 views

CVE-2026-8702

6AI score0.00156EPSS

Vulnrichment•added 2026/05/27 5:31 a.m.•9 views

CVE-2026-8702 GBI To Print <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'div' Shortcode Attribute

Vulnrichment•added 2026/05/27 5:31 a.m.•7 views

CVE-2026-8698 Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the asgetcoinshortcode function, which renders the 'width' and 'height' shortcode attribute directly into the style attribut...

Positive Technologies•added 2026/05/27 12:0 a.m.•8 views

PT-2026-43502

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi toprint shortcode function, which concatenates the raw shortcode attribute value directly...

ATTACKERKB•added 2026/05/20 1:25 a.m.•5 views

CVE-2026-8038

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS6AI score0.00253EPSS

CVE•added 2026/05/14 6:44 a.m.•17 views

CVE-2026-3694

CVE-2026-3694 affects the Bold Page Builder plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the bt_bb_button shortcode’s 'text' attribute across all versions up to and including 5.6.8. It stems from insufficient input sanitization and output escaping for use...

RedhatCVE•added 2026/05/13 2:21 p.m.•8 views

CVE-2026-4920

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

EUVD•added 2026/05/12 9:31 a.m.•20 views

Exploits0References1

EUVD-2026-29396

Cvelist•added 2026/05/12 7:48 a.m.•52 views

CVE-2026-6247 scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS0.00187EPSS

Cvelist•added 2026/05/12 7:48 a.m.•38 views

CVE-2026-5715 Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

6.4CVSS0.00187EPSS

Cvelist•added 2026/05/12 7:48 a.m.•62 views

CVE-2026-4920 Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

6.4CVSS0.00187EPSS

Vulnrichment•added 2026/05/12 7:48 a.m.•6 views

CVE-2026-4859 SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CNNVD•added 2026/05/12 12:0 a.m.•7 views

WordPress plugin Next Date 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

6.4CVSS5.8AI score0.00187EPSS

Exploits0References1

Positive Technologies•added 2026/05/12 12:0 a.m.•17 views

PT-2026-39951

NVD•added 2026/05/06 8:16 a.m.•9 views

CVE-2026-6672

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the...

6.4CVSS0.00152EPSS