CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

8961 matches found

RedhatCVE•added 2026/03/26 3:10 p.m.•3 views

CVE-2026-1886

The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin'...

6.4CVSS6AI score0.00243EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:10 p.m.•3 views

CVE-2026-1911

The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweettitle' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6AI score0.00187EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:10 p.m.•1 views

CVE-2026-1854

The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS6AI score0.00243EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:10 p.m.•4 views

CVE-2026-1575

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's itemscope shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS6AI score0.00156EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:10 p.m.•2 views

CVE-2026-1889

The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00243EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•2 views

CVE-2026-2496

The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edsfontawesome shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00243EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•3 views

CVE-2026-2358

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wpulikelikersbox shortcode template attribute in all versions up to, and including, 5.0.1. This is due to the use of htmlentitydecode on shortcode attributes without subsequent output sanitization, which...

6.4CVSS6AI score0.0021EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•3 views

CVE-2026-2501

The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's socialshare shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00193EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:7 p.m.•1 views

CVE-2026-4072

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email'...

6.4CVSS6AI score0.00193EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:7 p.m.•1 views

CVE-2026-4083

The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhgshortcode allows arbitrary HTML attributes to be added to the rendered element, with only a...

6.4CVSS6AI score0.00206EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:7 p.m.•3 views

CVE-2026-4084

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode...

6.4CVSS6AI score0.0025EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:6 p.m.•2 views

CVE-2026-4086

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

6.4CVSS6AI score0.00193EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:6 p.m.•1 views

CVE-2026-4004

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callbacksearch function and insufficient input validation that allows shortcode syntax...

6.5CVSS6.1AI score0.00254EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:6 p.m.•1 views

CVE-2026-4077

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode...

6.4CVSS6AI score0.00201EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:6 p.m.•2 views

CVE-2026-22191

Beghelli Sicuro24 SicuroWeb contains a template injection vulnerability that allows attackers to inject arbitrary AngularJS expressions by exploiting improper rendering of untrusted input in AngularJS template contexts. Attackers can inject malicious expressions that are compiled and executed by...

5.2CVSS6.1AI score0.00362EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:6 p.m.•3 views

CVE-2026-0609

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode...

6.4CVSS6AI score0.00156EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 2:56 p.m.•5 views

CVE-2024-13785

The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before running...

5.6CVSS6.2AI score0.00268EPSS

Exploits0References1

EUVD•added 2026/03/26 9:30 a.m.•1 views

EUVD-2025-209044

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the updateresponsivewoofreeshippingleftshortcode AJAX action that does not properly validate the contentrechdata parameter before processi...

6.5CVSS6.2AI score0.00323EPSS

Exploits0References2

NVD•added 2026/03/26 7:16 a.m.•6 views

CVE-2025-15488

6.5CVSS0.00323EPSS

Exploits0References1

EUVD•added 2026/03/26 6:30 a.m.•2 views

EUVD-2026-16106

The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the leafext-cookie-time and leafext-delete-cookie shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on...

6.4CVSS6AI score0.00235EPSS

Exploits0References6

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by