CVE-2024-13495

CVE-2024-13495 affects the WordPress plugin GamiPress – Gamification (versions up to and including 7.2.1). The flaw is in gamipress_ajax_get_logs(), where user-supplied values are not properly validated before do_shortcode is invoked, allowing unauthenticated attackers to execute arbitrary shortc...

CVE-2024-13361 AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicgsaveimagemedia function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

CVE-2024-13361 AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicgsaveimagemedia function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

CVE-2024-13361

CVE-2024-13361 involves the WordPress plugin “AI Power: Complete AI Pack.” The vulnerability arises from a missing capability check in wpaicg_save_image_media across versions up to 1.8.96, enabling authenticated attackers with Subscriber+ access to upload image files and embed shortcode attribute...

WordPress GamiPress plugin <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function vulnerability

Unauthenticated Arbitrary Shortcode Execution via gamipressajaxgetlogs Function vulnerability discovered by mikemyers in WordPress Plugin GamiPress versions = 7.2.1...

WordPress AI Power: Complete AI Pack plugin <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution vulnerability discovered by mikemyers in WordPress Plugin GPT3 AI Content Writer versions = 1.8.96...

PT-2025-2191 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress versions up to, and including, 7.2.1 Description: The issue is related to arbitrary shortcode execution via the gamipress do shortcode function. This ...

CVE-2024-10970

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-10970 Motors – Car Dealer, Classifieds & Listing <= 1.4.43 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-10970 Motors – Car Dealer, Classifieds & Listing <= 1.4.43 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-10970

CVE-2024-10970 (The Motors – Car Dealer, Classifieds & Listing plugin for WordPress) is exposed in all versions up to 1.4.43. The root cause is that the plugin allows a value to be passed into do_shortcode without proper validation, enabling an authenticated attacker (Subscriber+ level) to execut...

PT-2025-1617 · WordPress · The Motors – Car Dealer

Name of the Vulnerable Software and Affected Versions: The Motors – Car Dealer, Classifieds & Listing plugin for WordPress versions 1.4.43 and earlier Description: The issue allows authenticated attackers with Subscriber-level access and above to execute arbitrary shortcodes due to the software...

WordPress Motors plugin <= 1.4.43 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution via Custom Title vulnerability discovered by WordFence in WordPress Plugin Motors versions = 1.4.43...

CVE-2024-12419

The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...

CVE-2024-12419

CVE-2024-12419 affects the Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler. All versions up to 1.7.0 allow unauthenticated users to trigger arbitrary shortcode execution by calling an action that does not validate the value before do_shortcode. This also enables Reflected Cross-...

CVE-2024-12419 Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...

CVE-2024-12419 Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.0 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...

PT-2025-1839 · WordPress · Cf7 Wow Styler

Name of the Vulnerable Software and Affected Versions: The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress versions prior to 1.7.1 Description: The issue is due to the software allowing users to execute an action that does not properly validate a value befor...

WordPress CF7 WOW Styler plugin <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting vulnerability

Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin CF7 WOW Styler versions = 1.7.1...

CVE-2024-11733 WordPress Popular Posts <= 7.1.0 - Unauthenticated Arbitrary Shortcode Execution

The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possib...