CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-2127

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-2127 SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the siteoriginwidgetpreviewwidgetaction function which is registered via the...

CVE-2026-1941

CVE-2026-1941 : WP Event Aggregator for WordPress is vulnerable to Stored XSS via the shortcode wp_events in all versions up to 1.8.7. Exploitation requires Contributor-level access or higher; an attacker can inject scripts that execute when users load the injected page. Wordfence and CVE records...

CVE-2026-1941 WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpevents' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1941 WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpevents' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1941

The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpevents' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1666

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...

CVE-2026-1807

The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2026-1807

CVE-2026-1807 – The WordPress plugin InteractiveCalculator for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s interactivecalculator shortcode, specifically the shortcodes’ id attribute. The issue is exploitable by authenticated users with Contributor+ access in all versio...

CVE-2026-1807

The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

CVE-2026-1666

CVE-2026-1666 affects the WordPress Download Manager plugin. It is a Reflected Cross-Site Scripting vulnerability in the login form shortcode via the vulnerable redirect_to GET parameter, due to insufficient input sanitization and output escaping. Affected: all versions up to and including 3.3.46...

CVE-2026-1666

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...

CVE-2026-1666 Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...

CVE-2026-1666 Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirectto' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirectto' GET parameter in the login form shortcode...

CVE-2025-12122

The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-12122

CVE-2025-12122 concerns the WordPress plugin “Popup Box – Easily Create WordPress Popups” where a Stored Cross-Site Scripting (XSS) vulnerability exists via the plugin’s iframeBox shortcode. The issue affects all versions up to and including 3.2.12 and stems from insufficient input sanitization a...

CVE-2025-12122 Popup Box – Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-12122

The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

CVE-2025-12122 Popup Box – Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...