WordPress LearnPress plugin <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin LearnPress versions = 4.3.3...

WordPress LightPress Lightbox plugin <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP jQuery Lightbox versions = 2.3.4...

CVE-2026-4278

The CVE-2026-4278 entry concerns the WordPress plugin Simple Download Counter, vulnerable to Stored Cross-Site Scripting via the sdc_menu shortcode in versions up to 2.3. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically text...

CVE-2026-4075

CVE-2026-4075 : The BWL Advanced FAQ Manager Lite WordPress plugin is vulnerable to a Stored Cross-Site Scripting (XSS) via the baf_sbox shortcode in all versions up to 1.1.1. The issue arises from insufficient input sanitization and output escaping of user-supplied shortcode attributes (e.g., sb...

WordPress WPFAQBlock- FAQ & Accordion Plugin For Gutenberg plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin WPFAQBlock versions = 1.1...

WordPress Twitter Feeds plugin <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'tweettitle' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Twitter Feeds versions = 1.0.0...

WordPress WP Random Button plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin WP Random Button versions = 1.0...

CVE-2026-3619 Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute

The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the sheets2table-render-table shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the...

CVE-2026-1891

The CVE concerns the Simple Football Scoreboard plugin for WordPress. A stored XSS vulnerability exists in all versions up to 1.0 via the ytmr_fb_scoreboard shortcode, caused by insufficient input sanitization and output escaping for user-supplied attributes. Exploitation requires authenticated a...

CVE-2026-1093

The CVE concerns the WPFAQBlock– FAQ & Accordion Plugin For Gutenberg (WordPress). It describes a Stored Cross-Site Scripting (XSS) flaw in the shortCode attribute “class” of wpfaqblock, affecting all versions up to and including 1.1. The underlying cause is insufficient input sanitization and ou...

CVE-2026-4077

The CVE-2026-4077 entry concerns the WordPress plugin Ecover Builder For Dummies . It reports a Stored Cross‑Site Scripting (XSS) vulnerability in the id attribute of the ecover shortcode, affecting all versions up to 1.0. The root cause is insufficient input sanitization and output escaping for ...

CVE-2026-4077 Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode...

CVE-2026-1854

CVE-2026-1854 concerns the WordPress Post Flagger plugin. A stored XSS vulnerability exists via the plugin’s 'flag' shortcode attribute in all versions up to and including 1.1 due to insufficient input sanitization and output escaping. The issue can be chained by an authenticated attacker with co...

PT-2026-26861

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer...

PT-2026-26870

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad func shortcode handl...

CVE-2026-2358

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...

CVE-2026-2358 WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...

CVE-2026-2358 WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...

PT-2026-24577

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp ulike likers box shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of html entity decode on shortcode attributes without subsequent output sanitization, which...

WordPress WP ULike plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin WP ULike versions = 5.0.1...