Lucene search
K

1416 matches found

Cvelist
Cvelist
added 2026/02/18 4:35 a.m.26 views

CVE-2025-13959 Filestack <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00181EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/02/18 12:36 a.m.6 views

WordPress WP Event Aggregator plugin <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by WordFence in WordPress Plugin WP Event Aggregator versions = 1.8.7...

6.4CVSS5.5AI score0.0025EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/17 11:23 p.m.7 views

WordPress Filestack plugin <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Filestack versions = 2.0.8...

6.4CVSS5.5AI score0.00181EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/14 6:42 a.m.15 views

CVE-2026-1939

CVE-2026-1939 concerns the WordPress plugin Percent to Infograph. The vulnerability is a Stored XSS via the shortcode percent_to_graph, affecting versions up to 1.0, exploitable by authenticated attackers with contributor+ rights due to insufficient input sanitization and output escaping. The Wor...

6.4CVSS5.8AI score0.0026EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/14 6:42 a.m.3 views

CVE-2026-1939 Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the percenttograph shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.7AI score0.0026EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/14 6:42 a.m.26 views

CVE-2026-1901 QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00237EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/14 6:42 a.m.4 views

CVE-2026-1901 QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.7AI score0.00237EPSS
Exploits0References3
CVE
CVE
added 2026/02/14 6:42 a.m.19 views

CVE-2026-1901

CVE-2026-1901 relates to the WordPress plugin QuestionPro Surveys (versions

6.4CVSS5.8AI score0.00237EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/02/13 10:57 p.m.5 views

WordPress Percent to Infograph plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Percent to Infograph versions = 1.0...

6.4CVSS5.5AI score0.0026EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/11 8:26 a.m.19 views

CVE-2026-1809

The CVE-2026-1809 entry concerns the WordPress HTML Shortcodes plugin (versions

6.4CVSS5.8AI score0.00253EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/02/11 8:26 a.m.2 views

CVE-2026-1809 HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The HTML Tag Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

6.4CVSS5.8AI score0.00253EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/02/10 11:9 p.m.6 views

WordPress HTML Shortcodes plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin HTML Shortcodes versions = 1.1...

6.4CVSS5.4AI score0.00253EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/10 11:7 p.m.6 views

WordPress OpenPOS Lite plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin OpenPOS Lite – Point of Sale for WooCommerce versions = 3.0...

6.4CVSS5.5AI score0.00253EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/10 11:2 p.m.6 views

WordPress Microtango plugin <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Microtango versions = 0.9.29...

6.4CVSS5.4AI score0.00248EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/09 11:43 p.m.8 views

WordPress The Events Calendar Shortcode & Block plugin <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin The Events Calendar Shortcode & Block versions = 3.1.2...

6.4CVSS5.5AI score0.00245EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/08 7:13 a.m.8 views

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.5CVSS5.3AI score0.00259EPSS
Exploits0References1
NVD
NVD
added 2026/02/07 9:15 a.m.8 views

CVE-2025-15477

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode category and id attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This...

6.5CVSS0.00217EPSS
Exploits0References2
CVE
CVE
added 2026/02/07 8:26 a.m.19 views

CVE-2025-15477

The Bucketlister WordPress plugin (versions up to and including 0.1.5) is vulnerable to SQL Injection via the shortcode attributes category and id. The root cause is insufficient escaping of user-supplied parameters and inadequate preparation of the existing SQL query. This allows authenticated a...

6.5CVSS5.8AI score0.00217EPSS
Exploits0References2
NVD
NVD
added 2026/02/07 6:16 a.m.8 views

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.5CVSS0.00259EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/07 6:0 a.m.6 views

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.4AI score0.00259EPSS
Exploits0References1
Rows per page
Query Builder