CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD-2026-14190

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the game shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src',...

EUVD•added 2026/03/21 6:30 a.m.•2 views

Exploits0References10

EUVD-2026-13999

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The adfunc shortcode handle...

6.4CVSS6AI score0.00188EPSS

Exploits0References6

6.4CVSS6AI score0.00193EPSS

EUVD-2026-14177

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email'...

Exploits0References6

EUVD-2026-14005

The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

EUVD•added 2026/03/21 6:30 a.m.•0 views

EUVD-2026-14008

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD•added 2026/03/21 6:30 a.m.•5 views

Exploits0References4

EUVD-2026-14001

The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD•added 2026/03/21 6:30 a.m.•1 views

EUVD-2026-14002

The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-14174

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Exploits0References4

EUVD-2026-13990

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmrfbscoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD•added 2026/03/21 6:30 a.m.•4 views

Exploits0References4

EUVD-2024-55483

The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before running...

5.6CVSS6.2AI score0.00268EPSS

Exploits0References3

EUVD•added 2026/03/21 6:30 a.m.•2 views

EUVD-2026-13996

The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied...

NVD•added 2026/03/21 4:17 a.m.•4 views

CVE-2026-4086

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wprandombutton' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on...

6.4CVSS0.00193EPSS

NVD•added 2026/03/21 4:17 a.m.•1 views

CVE-2026-4067

6.4CVSS0.00188EPSS

CVE-2026-4077

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode...

6.4CVSS0.00201EPSS

Exploits0References7

CVE-2026-4072

6.4CVSS0.00193EPSS

NVD•added 2026/03/21 4:17 a.m.•3 views

CVE-2026-3996

6.4CVSS0.00235EPSS

Exploits0References9

CVE-2026-3617

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The...

6.4CVSS0.00201EPSS

Exploits0References7

CVE-2026-3619

The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the sheets2table-render-table shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the...

6.4CVSS0.00193EPSS

NVD•added 2026/03/21 4:17 a.m.•4 views

CVE-2026-3554

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

6.4CVSS0.00204EPSS