CVE-2026-4072 WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email'...

CVE-2026-3333 MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-3996 WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the game shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src',...

CVE-2026-3996 WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the game shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src',...

CVE-2026-3996

The CVE-2026-3996 entry affects the WP Games Embed plugin for WordPress (versions up to 0.1beta). Root cause: insufficient input sanitization and output escaping on shortcode attributes (width, height, src, title, description, game_url, main, thumb) which are concatenated into HTML output. Active...

CVE-2026-1891 Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmrfbscoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1891 Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmrfbscoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-2496 Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edsfontawesome shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-2496 Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edsfontawesome shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-2496

The CVE concerns the Ed's Font Awesome plugin for WordPress, vulnerable to Stored Cross-Site Scripting via the eds_font_awesome shortcode in all versions up to 2.0. Root cause: insufficient input sanitization and output escaping on user-supplied shortcode attributes. Impact: authenticated attacke...

CVE-2026-4084

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

CVE-2026-1822 WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-4086 WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

CVE-2026-4086 WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

CVE-2026-4086

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

CVE-2026-4086

The CVE concerns the WP Random Button WordPress plugin (versions up to 1.0). It is vulnerable to Stored Cross-Site Scripting via the wp_random_button shortcode attributes cat, nocat, and text. The root cause is insufficient input sanitization and output escaping: the random_button_html() function...

PT-2026-26859

Name of the Vulnerable Software and Affected Versions Sherk Custom Post Type Displays plugin for WordPress versions up to and including 1.2.1 Description The Sherk Custom Post Type Displays plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'title' shortcode attribute...

PT-2026-26874

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

WordPress plugin WP Games Embed 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress plugin Ecover Builder For Dummies 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...