CVE-2023-4960

The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfmstores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-4890

The JQuery Accordion Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-4944

The Awesome Weather Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-4889

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2025-13900

CVE-2025-13900 refers to the WP Popup Magic plugin for WordPress, with a Stored XSS vulnerability in the shortcode [wppum_end] via the name parameter. The connected Wordfence summary confirms the flaw affects WP Popup Magic and lists it as an authenticated (Contributor+) Stored Cross‑Site Scripti...

CVE-2025-13853 Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'datatech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13853

CVE-2025-13853 affects Nearby Now Reviews (WordPress plugin) and is an authenticated Stored XSS in the nn-tech shortcode via the data_tech parameter, impacting all versions up to 5.2. The flaw arises from insufficient input sanitization and output escaping, enabling an attacker with Contributor+ ...

CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the wppumend shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13729

CVE-2025-13729 affects the Entry Views WordPress plugin. It is a Stored Cross-Site Scripting vulnerability via the plugin’s entry-views shortcode in all versions up to 1.0.0, caused by insufficient input sanitization and output escaping of user-provided shortcode attributes. Exploitation requires...

CVE-2025-13729 Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13729 Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-23896

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in thom4 Mindmeister Shortcode mindmeister-shortcode allows DOM-Based XSS.This issue affects Mindmeister Shortcode: from n/a through = 1.0...

CVE-2025-23825

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in osuthorpe Easy Shortcode Buttons easy-shortcode-buttons allows Stored XSS.This issue affects Easy Shortcode Buttons: from n/a through = 1.2...

CVE-2025-23946

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Le-Pixel-Solitaire Enhanced YouTube Shortcode enhanced-youtube-shortcode allows Stored XSS.This issue affects Enhanced YouTube Shortcode: from n/a through = 2.0.1...

CVE-2025-23943

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in aruvi PDF.js Shortcode pdfjs-shortcode allows Stored XSS.This issue affects PDF.js Shortcode: from n/a through = 1.0...

CVE-2025-23893

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Manny Costales GMap Shortcode gmap-shortcode allows DOM-Based XSS.This issue affects GMap Shortcode: from n/a through = 2.0...

CVE-2025-14867

The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary file...

CVE-2025-14053

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-14121

The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edddownloadinfolink' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...