Lucene search
K

1416 matches found

EUVD
EUVD
added 2026/02/07 6:0 a.m.7 views

EUVD-2025-206894

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.4AI score0.00259EPSS
Exploits0References1
CVE
CVE
added 2026/02/07 6:0 a.m.16 views

CVE-2025-15491

The CVE refers to the Post Slides WordPress plugin (versions up to 1.0.1) where a flaw in shortcode attribute validation allows generation of include paths, enabling Local File Inclusion (LFI) for authenticated users (e.g., contributor or higher). Root cause: some shortcode attributes are not val...

5.5CVSS5.4AI score0.00259EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/07 5:52 a.m.34 views

CVE-2025-12159 Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbrawcontent shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00205EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/02/07 12:7 a.m.8 views

WordPress The Bucketlister plugin <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes vulnerability

Authenticated Contributor+ SQL Injection via category and id Shortcode Attributes vulnerability discovered by Ivan Cese in WordPress Plugin The Bucketlister versions = 0.1.5...

6.5CVSS5.7AI score0.00217EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/07 12:0 a.m.5 views

PT-2026-6881

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.5AI score0.00259EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/06 6:46 a.m.27 views

CVE-2026-1888 Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00235EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/02/06 12:38 a.m.6 views

WordPress Docus plugin <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Docus versions = 1.0.6...

6.4CVSS5.3AI score0.00235EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/02/06 12:35 a.m.10 views

WordPress Orange Confort+ accessibility toolbar for WordPress plugin <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Orange Comfort+ accessibility toolbar for WordPress versions = 0.7...

6.4CVSS5.3AI score0.00235EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/05 12:0 a.m.8 views

PT-2026-6024

Name of the Vulnerable Software and Affected Versions Essential Widgets plugin for WordPress versions up to and including 3.0 Description The Essential Widgets plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping on...

6.4CVSS5.7AI score0.00279EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/01/28 6:43 a.m.33 views

CVE-2026-1295 Buy Now Plus <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for...

6.4CVSS0.0027EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/28 6:43 a.m.5 views

CVE-2026-1295 Buy Now Plus <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for...

6.4CVSS6AI score0.0027EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/01/28 1:38 a.m.11 views

WordPress Buy Now Plus plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Buy Now Plus versions = 1.0.2...

6.4CVSS5.9AI score0.0027EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/24 7:26 a.m.5 views

CVE-2026-1097

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS6AI score0.0024EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/01/24 5:30 a.m.9 views

WordPress ThemeRuby Multi Authors plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes vulnerability discovered by zaim in WordPress Plugin ThemeRuby Multi Authors versions = 1.0.0...

6.4CVSS5.4AI score0.0024EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/01/24 12:0 a.m.5 views

WordPress plugin ThemeRuby Multi Authors – Assign Multiple Writers to Posts Cross-site Script Vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.7AI score0.0024EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.7 views

PT-2026-1745

Name of the Vulnerable Software and Affected Versions Countdown Timer – Widget Countdown plugin for WordPress versions prior to 2.7.8 Description The plugin is susceptible to Stored Cross-Site Scripting through the 'wpdevart countdown' shortcode due to inadequate input sanitization and output...

6.4CVSS5.8AI score0.00192EPSS
Exploits0References10
Patchstack
Patchstack
added 2026/01/09 9:24 p.m.6 views

WordPress PullQuote plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin PullQuote versions = 1.0...

6.4CVSS5.8AI score0.00239EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 12:32 p.m.4 views

CVE-2023-4798

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks...

5.4CVSS5.9AI score0.00394EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/01/09 12:32 p.m.6 views

CVE-2023-4035

The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.5AI score0.00371EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/01/09 12:31 p.m.7 views

CVE-2023-4289

The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...

5.4CVSS5.9AI score0.00403EPSS
Exploits2References1
Rows per page
Query Builder