CVE-2023-4035 Simple Blog Card < 1.31 - Contributor+ Stored XSS via Shortcode

The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-27407 · WordPress · Simple Blog Card

Name of the Vulnerable Software and Affected Versions: The Simple Blog Card WordPress plugin versions prior to 1.31 Description: The issue arises from the plugin's failure to validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is...

CVE-2023-0579

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks...

CVE-2023-0274

The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-1110

The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attack...

Sql injection

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks...

PT-2023-16380 · WordPress · Yarpp

Name of the Vulnerable Software and Affected Versions: YARPP WordPress plugin versions prior to 5.30.3 Description: The issue is related to the YARPP WordPress plugin, which does not validate and escape some of its shortcode attributes before using them in SQL statements. This could allow any...

PT-2023-16132 · WordPress · Url Params

Name of the Vulnerable Software and Affected Versions: URL Params WordPress plugin versions prior to 2.5 Description: The issue concerns the URL Params WordPress plugin, which does not validate and escape some of its shortcode attributes before outputting them back in a page or post where the...

CVE-2023-3387

The Lana Text to Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lanatexttoimage' and 'lanatexttoimg' shortcode in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

CVE-2023-0489

The SlideOnline WordPress plugin through 1.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0368

The Responsive Tabs For WPBakery Page Builder formerly Visual Composer WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

CVE-2023-0489 SlideOnline <= 1.2.1 - Contributor+ Stored XSS

The SlideOnline WordPress plugin through 1.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Sermon'e – Sermons Online <= 1.0.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-16265 · WordPress · File Away

Name of the Vulnerable Software and Affected Versions: File Away WordPress plugin versions 3.9.9.0.1 and earlier Description: The issue concerns a lack of validation and escaping of one of its shortcode attributes. This could allow users with a role as low as contributor to perform a Stored...

CVE-2023-2305

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdmmembers', 'wpdmloginform', 'wpdmregform' shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2023-2031

The Locatoraid Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.9.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-1917

The PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-0152

The WP Multi Store Locator WordPress plugin through 2.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-16041 · WordPress · Wp Multi Store Locator

Name of the Vulnerable Software and Affected Versions: WP Multi Store Locator WordPress plugin versions prior to 2.5 Description: The issue concerns the WP Multi Store Locator WordPress plugin, which does not properly validate and escape certain shortcode attributes. This could allow users with t...

CVE-2022-4676

The OSM WordPress plugin through 6.01 does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...