1404 matches found
CVE-2026-1097
The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it...
WordPress ThemeRuby Multi Authors plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'before' and 'after' Shortcode Attributes vulnerability discovered by zaim in WordPress Plugin ThemeRuby Multi Authors versions = 1.0.0...
WordPress plugin ThemeRuby Multi Authors – Assign Multiple Writers to Posts Cross-site Script Vulnerability
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
PT-2026-1745
Name of the Vulnerable Software and Affected Versions Countdown Timer – Widget Countdown plugin for WordPress versions prior to 2.7.8 Description The plugin is susceptible to Stored Cross-Site Scripting through the 'wpdevart countdown' shortcode due to inadequate input sanitization and output...
WordPress PullQuote plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin PullQuote versions = 1.0...
CVE-2023-4798
The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks...
CVE-2023-4035
The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-4289
The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...
CVE-2023-4799
The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2025-13908 The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'thetooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2023-4842
The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'socialwarfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-14053
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
WordPress Debt.com Business in a Box plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Debt.com Business in a Box versions = 4.1.0...
WordPress Menu Card plugin <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Menu Card versions = 0.8.0...
WordPress Curved Text plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Curved Text versions = 0.1...
WordPress The Tooltip plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin The Tooltip versions = 1.0.2...
WordPress Nearby Now Reviews plugin <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Nearby Now Reviews versions = 5.2...
CVE-2025-14053
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
CVE-2025-14122 AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slidingfaq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...
CVE-2025-14122 AD Sliding FAQ <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slidingfaq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...