WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Software : LS Google Map Router Type : Plugin Vulnerable versions : = 1.1.0 OWASP Top 10 : A3: Injection Classification : Cross Site Scripting XSS CVE ID : CVE-2025-13850 Patchstack priority : Low CVSS severity : 6.5 Required privilege : Contributor Developer : Claim ownership PSID : b2117d151506...

WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin LS Google Map Router versions = 1.1.0...

WordPress FX Currency Converter plugin <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin FX Currency Converter versions = 0.2.0...

WordPress Divelogs Widget plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Divelogs Widget versions = 1.5...

WordPress GPXpress plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin GPXpress versions = 1.3...

WordPress WPGancio plugin <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WPGancio versions = 1.12...

WordPress WP Flot plugin <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WP Flot versions = 0.2.2...

WordPress Zenost Shortcodes plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Zenost Shortcodes versions = 1.0...

WordPress Easy Map Creator plugin <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Easy Map Creator versions = 3.0.2...

WordPress App Landing Template Blocks for WPBakery Page Builder plugin <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin App Landing Template Blocks for WPBakery Visual Composer Page Builder versions = 2.0.2...

WordPress Hide Email Address plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Hide Email Address versions = 0.1...

WordPress Data Visualizer plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Data Visualizer versions = 1.1...

WordPress Simple Nivo Slider plugin <= 0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Peter Thaleikis in WordPress Plugin Simple Nivo Slider versions = 0.5.6...

EUVD-2025-201883

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks...

CVE-2025-13070

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks...

CVE-2025-13070 CSV to SortTable <= 4.2 - Contributor+ LFI

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks...

CVE-2025-13070 CSV to SortTable <= 4.2 - Contributor+ LFI

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks...

PT-2025-49802

Name of the Vulnerable Software and Affected Versions CSV to SortTable WordPress plugin versions through 4.2 Description The software does not properly check certain shortcode attributes before using them to create file paths that are then used with include functions. This allows users with...

CVE-2025-13899

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

EUVD-2025-201526

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...