8961 matches found
EUVD-2026-18997
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...
EUVD-2026-18991
The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfoptinform' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of th...
CVE-2026-3309
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...
CVE-2026-3309
This CVE (CVE-2026-3309) concerns the ProfilePress plugin for WordPress (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content) affected up to version 4.16.11. The issue enables unauthenticated attackers to perform arbitrary shortcode execution via...
CVE-2026-3309 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...
CVE-2026-3309
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...
CVE-2026-3309 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...
CVE-2026-0626
CVE-2026-0626 affects the WordPress plugin WPFunnels – Easy Funnel Builder (all versions up to and including 3.7.9). The vulnerability is in the wpf_optin_form shortcode, where insufficient input sanitization and output escaping of the button_icon parameter allows an authenticated attacker with c...
EUVD-2026-18971
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-2437
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wtetriptax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-2437 WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wtetriptax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-2437 WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wtetriptax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-0738
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sucarousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'suslidelink' attachment meta field...
CVE-2026-0737
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the sulightbox shortcode. This makes it possib...
CVE-2026-0552
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-0552 Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpscdisplayproduct' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2026-0738
CVE-2026-0738 affects the WordPress plugin Shortcodes Ultimate (WP Shortcodes Plugin). The vulnerability is a Stored Cross-Site Scripting (XSS) via the su_carousel shortcode, up to version 7.4.8 inclusive. Root cause: insufficient input sanitization and output escaping in the su_slide_link attach...
WordPress WP Travel Engine - Travel and Tour Booking Plugin plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode vulnerability
WordPress WP Travel Engine - Travel and Tour Booking Plugin plugin = 6.7.5 - Authenticated Contributor+ Stored Cross-Site Scripting via wtetriptax Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Travel Engine versions = 6.7.5...
PT-2026-30314
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte trip tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...
PT-2026-30308
Name of the Vulnerable Software and Affected Versions The Simple Shopping Cart plugin for WordPress versions up to and including 5.2.4 Description The Simple Shopping Cart plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'wpsc display product' shortcode. Insufficient...