CVE-2024-13855 Prime Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode

The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the paeglobalblock shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2024-13573

CVE-2024-13573 relates to the WordPress plugin Zigaform – Form Builder Lite . Connected docs confirm a Stored Cross-Site Scripting (XSS) in this plugin, affecting versions up to at least 7.4.7 (according to PatchStack) and tied to the plugin's vulnerable shortcode handling. The issue stems from i...

CVE-2024-13459 FuseDesk <= 6.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusedesknewcase' shortcode in all versions up to, and including, 6.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-12447 Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode

The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

PT-2024-16096 · WordPress · Newsletters

Name of the Vulnerable Software and Affected Versions: Newsletters plugin for WordPress versions up to, and including, 4.9.9.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's newsletters video shortcode due to insufficient input sanitization and output escaping o...

PT-2024-18314 · WordPress · Husky – Products Filter For Woocommerce Professional

Name of the Vulnerable Software and Affected Versions: HUSKY – Products Filter for WooCommerce Professional plugin for WordPress versions up to, and including, 1.3.5.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'woof' shortcode due to insufficient input...

PT-2023-28700 · WordPress · Vrm 360 3D Model Viewer

Name of the Vulnerable Software and Affected Versions: Vrm 360 3D Model Viewer WordPress plugin versions 1.2.1 and earlier Description: The issue arises from insufficient checks in a plugin shortcode, allowing for arbitrary file upload. Recommendations: For Vrm 360 3D Model Viewer WordPress plugi...

CVE-2023-0367 Pricing Tables For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS

The Pricing Tables For WPBakery Page Builder formerly Visual Composer WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...

CVE-2021-25034 WP User < 7.0 - Reflected Cross-Site Scripting

The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the wpuser shortcode is used, leading to Reflected Cross-Site Scripting issues...