CVE-2025-14626

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-14147

The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-14145

The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nhrow shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possib...

CVE-2025-13841

The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied...

CVE-2023-4598

The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2023-4999

The Horizontal scrolling announcement plugin for WordPress is vulnerable to SQL Injection via the plugin's horizontal-scrolling shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

CVE-2025-23618

Cross-Site Request Forgery CSRF vulnerability in starise Twitter Shortcode twitter-shortcode allows Stored XSS.This issue affects Twitter Shortcode: from n/a through = 0.9...

CVE-2025-23569

Cross-Site Request Forgery CSRF vulnerability in Kelvin Ng Shortcode in Comment shortcode-in-comment allows Stored XSS.This issue affects Shortcode in Comment: from n/a through = 1.1.1...

CVE-2025-14835

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-0563

The WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsvmap' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2026-0563

CVE-2026-0563 affects the WordPress plugin “WP Google Street View (with 360° virtual tour) & Google maps + Local SEO” and the vulnerability is a Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the wpgsv_map shortcode. The flaw enables an attacker with at ...

CVE-2026-0563 WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpgsv_map' Shortcode

The WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsvmap' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2026-0563 WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpgsv_map' Shortcode

The WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsvmap' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible...

WordPress WoodMart theme <= 8.3.7 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme WoodMart versions = 8.3.7...

PT-2026-1729

Name of the Vulnerable Software and Affected Versions Woodpecker for WordPress plugin versions up to and including 3.0.4 Description The Woodpecker for WordPress plugin is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping in the form na...

PT-2026-1717

Name of the Vulnerable Software and Affected Versions Nearby Now Reviews plugin for WordPress versions up to and including 5.2 Description The Nearby Now Reviews plugin for WordPress is susceptible to Stored Cross-Site Scripting through the data tech parameter of the nn-tech shortcode. Insufficie...

PT-2026-1725

Name of the Vulnerable Software and Affected Versions PullQuote versions prior to 1.1 Description The PullQuote plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'pullquote' shortcode. Insufficient input sanitization and output escaping on user-supplied attributes...

PT-2026-1718

Name of the Vulnerable Software and Affected Versions Curved Text versions prior to 0.1 Description The Curved Text plugin for WordPress is susceptible to Stored Cross-Site Scripting through the radius parameter of the arctext shortcode. Insufficient input sanitization and output escaping allow...

PT-2026-1710

Name of the Vulnerable Software and Affected Versions Entry Views versions prior to 1.0.1 Description The Entry Views plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'entry-views' shortcode. Insufficient input sanitization and output escaping on user-supplied...

PT-2026-1724

Name of the Vulnerable Software and Affected Versions WP Popup Magic plugin for WordPress versions prior to 1.0.1 Description The WP Popup Magic plugin for WordPress is susceptible to Stored Cross-Site Scripting through the name parameter of the wppum end shortcode. Insufficient input sanitizatio...