CVE-2026-3554

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

CVE-2026-3554

The vulnerability affects the Sherk Custom Post Type Displays WordPress plugin (up to version 1.2.1). In sherkcptdisplays_func(), the title attribute of the sherkcptdisplays shortcode is read via shortcode_atts() and directly concatenated into an HTML without escaping, enabling Stored XSS. Explo...

CVE-2026-1911

The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweettitle' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2026-0609

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability in all versions up to and including 4.9.0, caused by insufficient input sanitization and output escaping in the 'logo-slider' shortcode. Exploitation...

CVE-2026-0609 Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode...

CVE-2026-0609 Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode...

CVE-2026-1575 Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's itemscope shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1575 Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's itemscope shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1575

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's itemscope shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1575

The CVE-2026-1575 entry refers to the WordPress Schema Shortcode plugin vulnerability: a Stored Cross-Site Scripting issue in the plugin’s itemscope shortcode, affecting all versions up to 1.0. Root cause: insufficient input sanitization and output escaping on user-provided attributes, enabling a...

CVE-2026-1275

CVE-2026-1275 concerns the WordPress plugin Multi Post Carousel by Category and its vulnerability to a Stored Cross-Site Scripting (XSS) via the slides shortcode attribute in all versions up to 1.4. The root cause is insufficient input sanitization and output escaping in the function handling the...

CVE-2026-1908 Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1908 Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1275

The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the...

CVE-2026-1908

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-3617

The CVE-2026-3617 entry concerns the Paypal Shortcode plugin for WordPress, with Stored Cross-Site Scripting in all versions up to 0.3. The root cause is insufficient input sanitization and output escaping of user-supplied shortcode attributes (amount and name). The swer_paypal_shortcode() functi...

CVE-2026-3617 Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The...

CVE-2026-3617 Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The...

CVE-2026-3617

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The...

CVE-2026-4072

The CVE concerns the WordPress PayPal Donation plugin for WordPress, vulnerable to Stored Cross-Site Scripting up to version 1.01 via the donate shortcode. The issue arises from insufficient input sanitization and output escaping on shortcode attributes (amount, email, title, return_url, cancel_u...