8961 matches found
CVE-2026-25006 WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in 8theme XStore xstore allows Code Injection.This issue affects XStore: from n/a through = 9.6.4...
CVE-2026-22422
The CVE-2026-22422 entry concerns the WordPress Everest Forms plugin (Everest Forms, everest-forms) with versions from n/a through 3.4.1, where improper neutralization of script-related HTML tags in a web page allows Basic XSS and code injection. The issue is described as Arbitrary Shortcode Exec...
CVE-2026-22422 WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through = 3.4.1...
CVE-2026-22422 WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through = 3.4.1...
CVE-2025-12122
The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...
CVE-2025-6460
The Display During Conditional Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-13959
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-1807
The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...
CVE-2026-1666
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...
CVE-2026-0549
The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groupsgroupinfo' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2026-0556
The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xoeventfield' shortcode in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-13738
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ez-toc shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-13732
The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitizatio...
CVE-2025-13612
The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aigpl-gallery-album shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...
CVE-2025-14851
CVE-2025-14851 concerns YaMaps for WordPress Plugin (YaMaps for WordPress) for WordPress. The vulnerability is a Stored Cross-Site Scripting via the yamap shortcode parameters present in all versions up to and including 0.6.40. The issue stems from insufficient input sanitization and output escap...
CVE-2025-14851 YaMaps for WordPress <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters
The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the yamap shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2025-14851 YaMaps for WordPress <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters
The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the yamap shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2025-13738 Easy Table of Contents <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ez-toc shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-13738
CVE-2025-13738 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin Easy Table of Contents (ez-toc shortcode) affecting versions up to 2.0.78. The issue arises from insufficient input sanitization and output escaping on user-provided attributes, enabling an authenticated ...
CVE-2026-0549 Groups <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode
The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groupsgroupinfo' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...