EUVD-2026-5737

The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wikiloops shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1611

CVE-2026-1611 affects the Wikiloops Track Player plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the plugin’s wikiloops shortcode in all versions up to and including 1.0.1, caused by insufficient input sanitization and output escaping on user-supplied attributes...

EUVD-2026-5739

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1608 Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1608 Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1608

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1608

The CVE concerns the Video Onclick WordPress plugin with the youtube shortcode. All versions up to and including 0.4.7 are affected due to insufficient input sanitization and output escaping of user-supplied attributes, enabling Stored Cross‑Site Scripting. Exploitation requires authenticated acc...

CVE-2026-1570

CVE-2026-1570 affects the WordPress plug‑in “Simple Bible Verse via Shortcode.” The vulnerability is a Stored Cross‑Site Scripting (XSS) in the verse shortcode caused by insufficient input sanitization and output escaping for user-provided attributes, impacting all versions up to and including 1....

CVE-2026-1570 Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD-2026-5744

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1570 Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1570

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1808

The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplusbutton shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-1888

The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1909

The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers,...

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

CVE-2025-12803

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'btbbtabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-15267

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btbbaccordionitem shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

CVE-2025-15491

The CVE refers to the Post Slides WordPress plugin (versions up to 1.0.1) where a flaw in shortcode attribute validation allows generation of include paths, enabling Local File Inclusion (LFI) for authenticated users (e.g., contributor or higher). Root cause: some shortcode attributes are not val...