CVE-2025-14121 EDD Download Info <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edddownloadinfolink' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-14121 EDD Download Info <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edddownloadinfolink' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-13841

CVE-2025-13841 applies to the WordPress plugin Smart App Banners (WordPress plugin). The vulnerability is a Stored Cross-Site Scripting (XSS) in the shortcode parameter handling of the app-store-download shortcode, specifically for the attributes size and verticalalign . It affects all versions u...

CVE-2025-14626 QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-14626 QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-14626

CVE-2025-14626 – Stored Cross-Site Scripting in the QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress. The issue arises from insufficient input sanitization and output escaping of user-supplied attributes in the plugin’s shortcode, enabling an authenticated at...

CVE-2025-14053 Travel Bucket List <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-14053

The CVE-2025-14053 entry concerns Travel Bucket List – Wish To Go (WordPress plugin). It describes Stored Cross-Site Scripting via shortcode attributes in versions up to 0.5.2 due to insufficient input sanitization/output escaping. Exploitation requires authenticated access at Contributor level o...

CVE-2024-2430

The Website Content in Page or Post WordPress plugin before 2024.04.09 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-2583

The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks...

CVE-2024-2695

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius', 'services' and...

PT-2026-1615

Name of the Vulnerable Software and Affected Versions Wish To Go plugin for WordPress versions up to and including 0.5.2 Description The Wish To Go plugin for WordPress is susceptible to Stored Cross-Site Scripting through shortcode attributes. Insufficient input sanitization and output escaping ...

WordPress Travel Bucket List plugin <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by ChamlaVic in WordPress Plugin Wish To Go versions = 0.5.2...

WordPress AD Sliding FAQ plugin <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin AD Sliding FAQ versions = 2.4...

WordPress QR Code for WooCommerce order emails, PDF invoices, packing slips plugin <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Cross-Site Scripting via Shortcode Attributes vulnerability discovered by WordFence in WordPress Plugin QR Code Tag for WC versions = 1.9.42...

WordPress STM Gallery 1.9 plugin <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin STM Gallery 1.9 versions = 0.9...

WordPress EDD Download Info plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin EDD Download Info versions = 1.1...

WordPress AI BotKit plugin <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin AI BotKit versions = 1.1.7...

WordPress PhotoFade plugin <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin PhotoFade versions = 0.2.1...

WordPress Easy Jump Links Menus plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Easy Jump Links Menus versions = 1.0.0...