CVE-2026-3600

The CVE concerns the WordPress plugin Investi . It is vulnerable to Stored Cross-Site Scripting via the shortcode attribute maximum-num-years in the investi-announcements-accordion shortcode, affecting versions up to and including 1.0.26 . The root cause is insufficient input sanitization and out...

CVE-2025-11880

The CVE-2025-11880 entry applies to the WordPress plugin SM CountDown Widget (shortcode: smcountdown). Affected versions are

EUVD-2021-11478

Malware in sbrugna...

EUVD-2021-11873

Malware in sbrugna...

EUVD-2022-51998

Malicious code in bioql PyPI...

EUVD-2024-43476

Malicious code in bioql PyPI...

EUVD-2023-58214

Malicious code in bioql PyPI...

EUVD-2023-59088

Malicious code in bioql PyPI...

CVE-2024-1450

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible fo...

CVE-2024-10688

The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2022-4672

The WordPress Simple Shopping Cart WordPress plugin before 4.6.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used...

CVE-2022-4824

The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4650

The HashBar WordPress plugin before 1.3.6 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...

CVE-2021-24414

The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode...

CVE-2025-4100

The Nautic Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'npmarinetrafficmap' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-2241 · WordPress · Music Sheet Viewer

Name of the Vulnerable Software and Affected Versions: Music Sheet Viewer plugin for WordPress versions up to, and including, 4.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'pn msv' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-2214 · WordPress · Power Ups For Elementor

Name of the Vulnerable Software and Affected Versions: Power Ups for Elementor plugin for WordPress versions up to, and including, 1.2.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode due to insufficient input sanitization and output...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

CVE-2024-12528

The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypollresults' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on use...

CVE-2024-5427

The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Reservation Form shortcode in all versions up to, and including, 2.2.24 due to insufficient input sanitization and outp...