PT-2026-31101

The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the scm member data shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-31112

Name of the Vulnerable Software and Affected Versions The Magic Conversation For Gravity Forms plugin for WordPress versions up to and including 3.0.97 Description The Magic Conversation For Gravity Forms plugin for WordPress is susceptible to Stored Cross-Site Scripting through the...

PT-2026-31453

The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

WordPress plugin LightPress Lightbox 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin The Plus Addons for Elementor 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

WordPress plugin pdfl.io 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-31287

Name of the Vulnerable Software and Affected Versions pdfl.io plugin for WordPress versions up to and including 1.0.5 Description The pdfl.io plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'pdflio' shortcode. This occurs because of inadequate input sanitization and...

PT-2026-31286

Name of the Vulnerable Software and Affected Versions PrivateContent Free versions up to and including 1.2.0 Description The PrivateContent Free plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'align' shortcode attribute within the pc-login-form shortcode. This occu...

PT-2026-31074

Name of the Vulnerable Software and Affected Versions Strong Testimonials versions up to and including 3.2.21 Description The Strong Testimonials plugin for WordPress is susceptible to Stored Cross-Site Scripting through the testimonial view shortcode. Insufficient input sanitization and output...

WordPress Wavr plugin <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin Wavr versions = 0.2.6...

WordPress WowPress plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin WowPress versions = 1.0.0...

WordPress Investi plugin <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Investi versions = 1.0.26...

WordPress TableOn - WordPress Posts Table Filterable plugin <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

WordPress TableOn - WordPress Posts Table Filterable plugin = 1.0.4.4 - Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin TableOn versions = 1.0.4.4...

WordPress LearnPress plugin <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin LearnPress versions = 4.3.3...

WordPress LatePoint plugin <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zaim in WordPress Plugin LatePoint versions = 5.3.0...

WordPress LightPress Lightbox plugin <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP jQuery Lightbox versions = 2.3.4...

WordPress Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields vulnerability

WordPress Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin = 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPres...

WordPress WPFunnels plugin <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpfoptinform' Shortcode vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin WPFunnels versions = 3.7.9...

CVE-2026-3309

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...

CVE-2026-0552

The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...