WordPress Thai Lottery Widget plugin <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Peerapat Samatathanyakorn in WordPress Plugin Thai Lottery Widget versions = 2.5...

CVE-2025-12712

CVE-2025-12712 (Shouty WordPress plugin) vulnerable in all versions up to 0.2.1 due to insufficient input sanitization and output escaping on shouty shortcode attributes, enabling stored cross-site scripting. Exploitation requires authenticated access at Contributor level or higher; an attacker c...

CVE-2025-12712 Shouty <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shouty Shortcode Attributes

The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

WordPress Shouty plugin <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shouty Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via shouty Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Shouty versions = 0.2.1...

CVE-2025-11765

CVE-2025-11765 : The WordPress plugin Stock Tools is vulnerable to stored XSS via the shortcode attributes image_height and image_width in all versions up to 1.1. The issue stems from insufficient input sanitization and output escaping. Exploitation requires authentication at contributor level or...

CVE-2025-11868

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

WordPress plugin Code Snippets 代码注入漏洞

WordPress Code Snippets plugin is a plugin designed for WordPress to conveniently add and manage custom code snippets without having to directly modify the theme files. The WordPress Code Snippets plugin suffers from a code injection vulnerability that stems from the evaluateshortcodefromflatfile...

CVE-2025-11868

The WordPress everviz plugin (up to version 1.1) is vulnerable to Stored Cross‑Site Scripting via the everviz shortcode attributes. The root cause is inadequate input sanitization and output escaping when building a from the type and hash attributes. This allows authenticated attackers with cont...

EUVD-2025-197932

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-11868 everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-11868 everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

PT-2025-47252

Name of the Vulnerable Software and Affected Versions everviz plugin for WordPress versions up to and including 1.1 Description The everviz plugin for WordPress is susceptible to Stored Cross-Site Scripting through the everviz shortcode attributes. The issue arises from insufficient sanitization ...

EUVD-2025-60921

The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videosrc', 'imgsrc', and 'class' parameters in the livephotosphoto shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on...

CVE-2025-12651

CVE-2025-12651 describes a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Live Photos on WordPress . The flaw arises from insufficient input sanitization and output escaping for user-supplied attributes in the shortcode livephotos_photo, specifically the parameters video_...

CVE-2025-11745

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field through the plugin's 'adinserter' shortcode in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on user supplied...

CVE-2025-11745

CVE-2025-11745 affects the WordPress plugin Ad Inserter – Ad Manager & AdSense Ads (versions up to and including 2.8.7). The vulnerability is a Stored Cross‑Site Scripting flaw in which user‑supplied attributes in the adinserter shortcode are insufficiently sanitized/escaped, allowing authenticat...

WordPress TablePress plugin <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Rafshanzani Suhada in WordPress Plugin TablePress versions = 3.2.4...

CVE-2025-12324

CVE-2025-12324 affects the WordPress plugin TablePress (versions up to 3.2.3). The vulnerability is a Stored Cross-Site Scripting via table shortcode attributes caused by insufficient input sanitization and output escaping. Exploitation requires at least contributor-level access; an attacker can ...

CVE-2025-12324 TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's table shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2025-12324 TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's table shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...