Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

233 matches found

Positive Technologies
Positive Technologiesadded 2026/04/22 12:0 a.m.2 views

PT-2026-34289

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk block...

6.4CVSS5.9AI score0.00288EPSS
Exploits0References7
CVE
CVEadded 2026/04/15 8:28 a.m.5 views

CVE-2026-4011

The CVE-2026-4011 entry describes a Stored Cross-Site Scripting flaw in the Power Charts Lite WordPress plugin (versions

6.4CVSS6AI score0.00265EPSS
Exploits0References5
CVE
CVEadded 2026/04/15 7:45 a.m.8 views

CVE-2026-5717

The CVE-2026-5717 entry concerns the WordPress plugin VI: Include Post By. Affected: all versions up to 0.4.200706. Issue: Stored Cross-Site Scripting via the class_container attribute of the include-post-by-cat shortcode, caused by insufficient input sanitization and output escaping on user-supp...

6.4CVSS5.9AI score0.00248EPSS
Exploits0References3
Cvelist
Cvelistadded 2026/04/15 7:45 a.m.26 views

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00248EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2026/04/15 7:45 a.m.4 views

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.9AI score0.00248EPSS
Exploits0References3
Patchstack
Patchstackadded 2026/04/15 4:7 a.m.3 views

WordPress WP Circliful plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin WP Circliful versions = 1.2...

6.4CVSS5.8AI score0.00322EPSS
Exploits0References1Affected Software1
Patchstack
Patchstackadded 2026/04/15 3:51 a.m.8 views

WordPress Power Charts plugin <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Power Charts versions = 0.1.0...

6.4CVSS5.8AI score0.00265EPSS
Exploits0References1Affected Software1
Patchstack
Patchstackadded 2026/04/15 3:50 a.m.4 views

WordPress VI: Include Post By plugin <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'classcontainer' Shortcode Attribute vulnerability discovered by MAJidox in WordPress Plugin VI: Include Post By versions = 0.4.200706...

6.4CVSS5.8AI score0.00248EPSS
Exploits0References1Affected Software1
CVE
CVEadded 2026/04/14 3:37 a.m.7 views

CVE-2026-4059

CVE-2026-4059 (ShopLentor WordPress plugin) is a Stored Cross-Site Scripting vulnerability affecting all versions up to 3.3.5. The issue arises from insufficient input sanitization and missing output escaping on the woolentor_quickview_button shortcode’s button_text attribute, allowing authentica...

6.4CVSS5.9AI score0.00296EPSS
Exploits0References7
Vulnrichment
Vulnrichmentadded 2026/04/14 3:37 a.m.1 views

CVE-2026-4059 ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute

The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...

6.4CVSS5.9AI score0.00296EPSS
Exploits0References7
EUVD
EUVDadded 2026/04/14 3:37 a.m.2 views

EUVD-2026-22217

The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...

6.4CVSS5.9AI score0.00296EPSS
Exploits0References7
Patchstack
Patchstackadded 2026/04/09 11:30 p.m.6 views

WordPress OSM plugin <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'markername' Shortcode Attribute vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin OSM versions = 6.1.15...

6.4CVSS5.9AI score0.00239EPSS
Exploits0References1Affected Software1
Patchstack
Patchstackadded 2026/04/09 6:31 p.m.4 views

WordPress pdfl.io plugin <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'text' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin pdfl.io versions = 1.0.5...

6.4CVSS5.9AI score0.00296EPSS
Exploits0References1Affected Software1
NVD
NVDadded 2026/04/08 10:16 a.m.2 views

CVE-2026-4073

The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The outputshortcode function directly...

6.4CVSS0.00296EPSS
Exploits0References6
CVE
CVEadded 2026/04/08 9:25 a.m.12 views

CVE-2026-4025

CVE-2026-4025 affects the PrivateContent Free WordPress plugin (pre-1.2.0). The flaw is a Stored XSS in the [pc-login-form] shortcode via the align attribute, caused by insufficient sanitization and lack of escaping when the attribute flows from the shortcode to pc_static::form_align() and is con...

6.4CVSS6.1AI score0.00276EPSS
Exploits0References8
Vulnrichment
Vulnrichmentadded 2026/04/08 9:25 a.m.5 views

CVE-2026-4073 pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute

The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The outputshortcode function directly...

6.4CVSS6.1AI score0.00296EPSS
Exploits0References6
EUVD
EUVDadded 2026/04/08 6:31 a.m.4 views

EUVD-2026-20041

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS6.1AI score0.00258EPSS
Exploits0References7
NVD
NVDadded 2026/04/08 5:16 a.m.4 views

CVE-2026-3600

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS0.00258EPSS
Exploits0References6
Vulnrichment
Vulnrichmentadded 2026/04/08 2:25 a.m.0 views

CVE-2026-4379 LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute

The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the group attribute in the gallery shortcode in all versions up to, and including, 2.3.4. This is due to the plugin modifying gallery shortcode output to include the group attribute value without proper...

6.4CVSS5.9AI score0.00264EPSS
Exploits0References4
Patchstack
Patchstackadded 2026/04/07 11:17 p.m.3 views

WordPress TableOn - WordPress Posts Table Filterable plugin <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

WordPress TableOn - WordPress Posts Table Filterable plugin = 1.0.4.4 - Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin TableOn versions = 1.0.4.4...

6.4CVSS5.9AI score0.00264EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder