1404 matches found
CVE-2025-13740
The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightweight-accordion shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
CVE-2025-13740 Lightweight Accordion <= 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightweight-accordion shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
PT-2025-51223
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to...
PT-2025-51083
The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith quick view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...
CVE-2025-13747 NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nspshortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2025-13961
CVE-2025-13961 affects the WordPress plugin Data Visualizer (Data Visualizer) up to version 1.1. It enables a Stored Cross-Site Scripting (Stored XSS) via the plugin’s shortcodes (visualize) due to insufficient input sanitization and output escaping on user-supplied attributes. Exploitation requi...
CVE-2025-13960 GPXpress <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
CVE-2025-13904
CVE-2025-13904 (WPGancio plugin for WordPress) is a Stored Cross-Site Scripting (SSS) vulnerability in the gancio-event shortcode. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes, affecting all versions up to and including 1.12. Exploitation re...
WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Software : LS Google Map Router Type : Plugin Vulnerable versions : = 1.1.0 OWASP Top 10 : A3: Injection Classification : Cross Site Scripting XSS CVE ID : CVE-2025-13850 Patchstack priority : Low CVSS severity : 6.5 Required privilege : Contributor Developer : Claim ownership PSID : b2117d151506...
WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin LS Google Map Router versions = 1.1.0...
WordPress FX Currency Converter plugin <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin FX Currency Converter versions = 0.2.0...
WordPress Divelogs Widget plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Divelogs Widget versions = 1.5...
WordPress GPXpress plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin GPXpress versions = 1.3...
WordPress WPGancio plugin <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WPGancio versions = 1.12...
WordPress WP Flot plugin <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WP Flot versions = 0.2.2...
WordPress Zenost Shortcodes plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Zenost Shortcodes versions = 1.0...
WordPress Easy Map Creator plugin <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Easy Map Creator versions = 3.0.2...
WordPress App Landing Template Blocks for WPBakery Page Builder plugin <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin App Landing Template Blocks for WPBakery Visual Composer Page Builder versions = 2.0.2...
WordPress Hide Email Address plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Hide Email Address versions = 0.1...
WordPress Data Visualizer plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Data Visualizer versions = 1.1...