Oi Yandex.Maps <= 3.2.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-14548 · WordPress · Collapse-O-Matic

Name of the Vulnerable Software and Affected Versions: Collapse-O-Matic WordPress plugin versions prior to 1.8.3 Description: The issue arises from the plugin's failure to validate and escape some of its shortcode attributes before outputting them back in the page. This could allow users with a...

PT-2023-14663 · WordPress · Compact Wp Audio Player

Name of the Vulnerable Software and Affected Versions: Compact WP Audio Player WordPress plugin versions prior to 1.9.8 Description: The issue concerns the Compact WP Audio Player WordPress plugin, which does not properly validate and escape certain shortcode attributes before outputting them. Th...

PT-2023-15222 · WordPress · Landing Page Builder

Name of the Vulnerable Software and Affected Versions: Landing Page Builder WordPress plugin versions prior to 1.4.9.9 Description: The issue arises from the plugin not validating and escaping some of its shortcode attributes before outputting them back in the page. This could allow users with a...

PT-2023-15423 · WordPress · Oneclick Chat To Order

Name of the Vulnerable Software and Affected Versions: OneClick Chat to Order WordPress plugin versions prior to 1.0.4.2 Description: The issue arises from the plugin not validating and escaping some of its shortcode attributes before outputting them back in the page. This could allow users with ...

PT-2023-15196 · WordPress · Structured Content

Name of the Vulnerable Software and Affected Versions: Structured Content WordPress plugin versions prior to 1.5.1 Description: The issue allows users with a role as low as contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins...

Better Font Awesome < 2.0.4 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC icon name='flag' class='4x border'...

Rich Table of Contents < 1.3.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: The shortcode generates the conten...

Responsive Gallery Grid < 2.3.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Note: In ids, please add the image...

Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Note: First, you need to set Judge.me...

Widget Shortcode <= 0.3.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

CVE-2022-4648

The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4544

The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

CVE-2022-4578

The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used again...

CVE-2022-4571

The Seriously Simple Podcasting WordPress plugin before 2.19.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used agains...

CVE-2022-4487

The Easy Accordion WordPress plugin before 2.2.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privile...

CVE-2022-4508

The ConvertKit WordPress plugin before 2.0.5 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privile...

CVE-2022-4453

The 3D FlipBook WordPress plugin through 1.13.2 does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like...

CVE-2022-4481

The Mesmerize Companion WordPress plugin before 1.6.135 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4465

The WP Video Lightbox WordPress plugin before 1.9.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...