1416 matches found
CVE-2022-4448
The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2022-4458
The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against hig...
CVE-2022-4471
The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Cross site scripting
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...
CVE-2022-4759 GigPress < 2.3.28 - Contributor+ Stored XSS via Shortcode
The GigPress WordPress plugin before 2.3.28 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2022-4488 Widgets on Pages < 1.8.0 - Contributor+ Stored XSS
The Widgets on Pages WordPress plugin before 1.8.0 does not validate and escape its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege use...
CVE-2023-0034 JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode
The JetWidgets For Elementor WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
CVE-2023-0166 PickPlugins Product Slider for WooCommerce < 1.13.42 - Contributor+ Stored XSS
The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...
CVE-2023-0275 Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...
CVE-2023-0061 Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS
The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Si...
CVE-2023-0333
The CVE-2023-0333 entry concerns the TemplatesNext ToolKit WordPress plugin prior to version 3.2.9. The issue is that the plugin does not validate some shortcode attributes before using them to generate HTML tags, enabling Stored Cross-Site Scripting (XSS) when an attacker with Contributor privil...
CVE-2023-0169 Zoho Forms < 3.0.1 - Contributor+ Stored XSS
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2022-4551 Rich Table of Contents < 1.3.9 - Contributor+ Stored XSS
The Rich Table of Contents WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attack...
CVE-2022-4448 GiveWP < 2.24.0 - Contributor+ Stored XSS
The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-0270 YaMaps for WordPress Plugin < 0.6.26 - Contributor+ Stored XSS
The YaMaps for WordPress Plugin WordPress plugin before 0.6.26 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
UpQode Google Maps <= 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit: vcugmmap mapheight='100px;...
PT-2023-14565 · WordPress · Widgets On Pages
Name of the Vulnerable Software and Affected Versions: Widgets on Pages WordPress plugin versions prior to 1.8.0 Description: The issue concerns the failure to validate and escape shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scriptin...
PT-2023-15679 · WordPress · Paid Memberships Pro
Name of the Vulnerable Software and Affected Versions: Paid Memberships Pro WordPress plugin versions prior to 2.9.9 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes, which can lead to Stored Cross-Site Scripting attacks. Users with a role as low a...
Advanced Recent Posts <= 0.6.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC lptwrecentposts colorscheme='"...
PT-2023-15992 · WordPress · Amazon Js Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: Amazon JS WordPress plugin versions 0.10 and earlier Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the Amazon JS WordPress plugin, which can lead to Stored Cross-Site Scripting attacks...