718 matches found
CVE-2026-0557
The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdaapp' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2026-8062
The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2026-8063
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm lms courses grid display' shortcode in all versions up to, and including, 3.7.11 due to insufficient input sanitization and output escapi...
PT-2026-8078
The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
WordPress myCred plugin <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'mycredloadcoupon' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin myCred versions = 2.9.7.3...
CVE-2026-1885
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2026-1826 OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the orderqrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible fo...
CVE-2026-1853
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1853 BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-1893
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-1893
The CVE affects Orbisius Random Name Generator for WordPress. Description: Stored Cross-Site Scripting via the btn_label shortcode attribute in orbisius_random_name_generator, affect versions up to 1.0.2. Root cause: insufficient input sanitization and output escaping. Impact: authenticated attac...
CVE-2026-1922
The The Events Calendar Shortcode & Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ecs-list-events shortcode message attribute in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-1922
CVE-2026-1922 : The Events Calendar Shortcode & Block plugin for WordPress contains a stored XSS vulnerability in the ecs-list-events shortcode, via the message attribute. It affects all versions up to 3.1.2 and arises from insufficient input sanitization and output escaping on user-supplied attr...
CVE-2026-1573 OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's omigodonatebutton shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-1573
Summary: CVE-2026-1573 affects the WordPress OMIGO plugin (versions up to and including 3.3). Vulnerability: Stored Cross-Site Scripting via the plugin’s omigo_donate_button shortcode. Insufficient input sanitization and output escaping on user-supplied attributes. Impact: Authenticated attackers...
CVE-2026-1611
CVE-2026-1611 affects the Wikiloops Track Player plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the plugin’s wikiloops shortcode in all versions up to and including 1.0.1, caused by insufficient input sanitization and output escaping on user-supplied attributes...
CVE-2026-1570 Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-15267
The CVE-2025-15267 entry concerns the Bold Page Builder WordPress plugin (versions up to and including 5.5.7). The vulnerability is a Stored Cross-Site Scripting flaw in the bt_bb_accordion_item shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes. I...
WordPress Video Onclick plugin <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Video Onclick versions = 0.4.7...
WordPress Simple Bible Verse via Shortcode plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zaim in WordPress Plugin Simple Bible Verse via Shortcode versions = 1.1...