WordPress plugin Awesome Hotel Booking 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

EUVD-2025-197883

The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before...

EUVD-2023-12488

Malicious code in bioql PyPI...

WordPress plugin REHub 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code injection...

CVE-2025-8105

CVE-2025-8105 relates to the Soledad WordPress theme (versions ≤ 8.6.7). The vulnerability allows unauthenticated attackers to trigger arbitrary shortcode execution via do_shortcode due to insufficient value validation. Multiple sources (Wordfence, NVD, patched advisories) confirm the issue and i...

CVE-2025-6744

The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode through the...

CVE-2022-4670

The PDF.js Viewer WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-13793

The Wolmart | Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to execute an action that does not properly validate a value before running...

PT-2025-7517 · WordPress · Show Me The Cookies

Name of the Vulnerable Software and Affected Versions: The Show Me The Cookies plugin for WordPress versions up to, and including, 1.0 Description: The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value...

PT-2025-1837 · WordPress · Ai Infographic Maker

Name of the Vulnerable Software and Affected Versions: AI Infographic Maker plugin for WordPress versions up to, and including, 4.9.0 Description: The issue is due to the software allowing users to execute an action that does not properly validate a value before running do shortcode. This makes i...

CVE-2024-10640

CVE-2024-10640 concerns the FOX – Currency Switcher Professional for WooCommerce (WordPress) plugin. It allows unauthenticated users to trigger arbitrary shortcode execution because the value passed to do_shortcode is not properly validated. Affected versions are up to and including 1.4.2.2; the ...

CVE-2024-10640 The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution

The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-3919

The OpenPGP Form Encryption for WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

ND Shortcodes < 7.0 - Subscriber+ LFI

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks PoC Run the below command in the developer console of the web browser while being on the blog as a...

PT-2023-15932 · WordPress · Frontend Post Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Frontend Post WordPress Plugin versions through 2.8.4 Description: The issue concerns a lack of validation for an attribute in one of the plugin's shortcodes. This could allow users with a role as low as contributor to add a malicious shortco...

PT-2023-14964 · WordPress · Widgets For Woocommerce Products On Elementor

Name of the Vulnerable Software and Affected Versions: Widgets for WooCommerce Products on Elementor WordPress plugin versions prior to 1.0.8 Description: The issue is related to the lack of validation and escaping of some shortcode attributes in the Widgets for WooCommerce Products on Elementor...

Design/Logic Flaw

The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their...

CVE-2023-0177 Social Like Box and Page by WpDevArt < 0.8.41 - Contributor+ Stored XSS

The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2022-4682 Lightbox Gallery < 0.9.5 - Contributor+ Stored XSS via Shortcode

The Lightbox Gallery WordPress plugin before 0.9.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4699 MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode

The MediaElement.js WordPress plugin through 4.2.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against...