WordPress STM Gallery 1.9 plugin <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin STM Gallery 1.9 versions = 0.9...

WordPress EDD Download Info plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin EDD Download Info versions = 1.1...

WordPress AI BotKit plugin <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin AI BotKit versions = 1.1.7...

WordPress PhotoFade plugin <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin PhotoFade versions = 0.2.1...

CVE-2025-14552

CVE-2025-14552 affects the WordPress MediaPress plugin (MediaPress) and is a Stored Cross-Site Scripting vulnerability in the mpp-uploader shortcode, exploitable in all versions up to 1.6.1. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowin...

CVE-2025-14552 MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode

The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-14552 MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode

The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2025-14153

CVE-2025-14153 is a WordPress plugin vulnerability in Page Expire Popup/Redirection for WordPress. The issue is a time-based SQL Injection via the shortcod e attribute id in versions up to 1.0, caused by insufficient escaping and lack of proper query preparation. Exploitation requires authenticat...

PT-2026-1428

Name of the Vulnerable Software and Affected Versions MediaPress plugin for WordPress versions up to and including 1.6.1 Description The MediaPress plugin for WordPress is susceptible to Stored Cross-Site Scripting through the mpp-uploader shortcode. This is due to inadequate input sanitization a...

WordPress Page Expire Popup/Redirection for WordPress plugin <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute vulnerability

Authenticated Author+ SQL Injection via 'id' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin Page Expire Popup/Redirection for WordPress versions = 1.0...

WordPress DeepDigital theme <= 1.0.2 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme DeepDigital versions = 1.0.2...

CVE-2025-62760

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through = 1.1.8...

CVE-2025-62760

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through = 1.1.8...

CVE-2025-62760 WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8...

CVE-2025-62760 WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through = 1.1.8...

CVE-2025-62760

CVE-2025-62760 refers to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the BuddyPress Activity Shortcode plugin. According to the Wordfence Vulnerability report, the affected component is the BuddyPress Activity Shortcode, with versions up to and including 1.1.8. It is categ...

WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin BuddyPress Activity Shortcode versions = 1.1.8...

WordPress GamiPress plugin <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function vulnerability

Unauthenticated Arbitrary Shortcode Execution via gamipressdoshortcode Function vulnerability discovered by abrahack in WordPress Plugin GamiPress versions = 7.2.1...

WordPress Extensive VC Addons for WPBakery page builder plugin <= 1.9.1 - Unauthenticated Local File Inclusion via 'shortcode_name' Parameter vulnerability

Unauthenticated Local File Inclusion via 'shortcodename' Parameter vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Extensive VC Addons for WPBakery page builder versions = 1.9.1...