CVE-2026-25006 WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through = 9.6.4...

CVE-2026-25006

CVE-2026-25006 affects the WordPress XStore theme up to version 9.6.4. The Root Cause is improper neutralization of script-related HTML tags in a web page, enabling Code Injection via XStore’s shortcode handling. Affected product: XStore theme (WordPress). Impact: potential arbitrary shortcode ex...

CVE-2026-22422

The CVE-2026-22422 entry concerns the WordPress Everest Forms plugin (Everest Forms, everest-forms) with versions from n/a through 3.4.1, where improper neutralization of script-related HTML tags in a web page allows Basic XSS and code injection. The issue is described as Arbitrary Shortcode Exec...

CVE-2026-22422 WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through = 3.4.1...

CVE-2026-2127

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-2127

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

WordPress SiteOrigin Widgets Bundle plugin <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution vulnerability discovered by bashu - KCSC in WordPress Plugin SiteOrigin Widgets Bundle versions = 1.70.4...

PT-2026-20365

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteorigin widget preview widget action function which is registered via the wp ajax so...

WordPress Geo Controller plugin <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution vulnerability

Missing Authorization to Unauthenticated Shortcode Execution vulnerability discovered by Lucio Sá in WordPress Plugin Geo Controller versions = 8.6.9...

CVE-2026-24564 WordPress Textmetrics plugin <= 3.6.5 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through = 3.6.5...

CVE-2026-24564 WordPress Textmetrics plugin <= 3.6.5 - Content Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through = 3.6.5...

CVE-2026-24564

CVE-2026-24564 is a WordPress Textmetrics plugin vulnerability (Textmetrics webtexttool) that allows authenticated shortcode execution / code injection through improper neutralization of script-related HTML tags. Affected versions are Textmetrics up to 3.6.3 (Wordfence notes Subscriber+ context f...

WordPress BuddyPress plugin <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by mikemyers in WordPress Plugin BuddyPress versions = 14.3.3...

CVE-2024-11976

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-11976 BuddyPress <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-11976

CVE-2024-11976 : The BuddyPress WordPress plugin is vulnerable to unauthenticated arbitrary shortcode execution in all versions up to and including 14.3.3 due to insufficient validation before running do_shortcode. This allows attackers to execute arbitrary shortcodes on affected sites. Remediati...

CVE-2024-11976 BuddyPress <= 14.3.3 - Unauthenticated Arbitrary Shortcode Execution

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

WordPress Plugin BuddyPress Code Injection Vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...