CVE-2025-13962 Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13885

Zenost Shortcodes (WordPress) contains a Stored XSS (CVE-2025-13885) in the button shortcode via link and target parameters for all versions up to 1.0. Exploitation requires authenticated access at Contributor+ level, enabling injection of scripts on pages that execute when users view the injecte...

CVE-2025-13885 Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-202970

The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-13885 Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-13906

CVE-2025-13906 (WP Flot) is a stored cross-site scripting vulnerability in the WP Flot WordPress plugin. The issue affects all versions up to and including 0.2.2 and stems from insufficient input sanitization and output escaping in the linechart shortcode attributes. As a result, authenticated at...

CVE-2025-13906 WP Flot <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13906 WP Flot <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13966

CVE-2025-13966 : The Paypal Payment Shortcode plugin for WordPress is vulnerable to a stored XSS via the buttom_image parameter in the [paypal-shortcode] shortcode, affecting all versions up to 1.01. The Wordfence Vulnerability DB notes that this requires Contributor+ access and that a patch is n...

CVE-2025-13961

CVE-2025-13961 affects the WordPress plugin Data Visualizer (Data Visualizer) up to version 1.1. It enables a Stored Cross-Site Scripting (Stored XSS) via the plugin’s shortcodes (visualize) due to insufficient input sanitization and output escaping on user-supplied attributes. Exploitation requi...

CVE-2025-13966 Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute

The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttomimage' parameter of the paypal-shortcode shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13961 Data Visualizer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13961 Data Visualizer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13966 Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute

The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttomimage' parameter of the paypal-shortcode shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for...

EUVD-2025-202978

The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-13884

The CVE-2025-13884 entry concerns the WordPress plugin Hide Email Address. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the inline_css parameter of the bg-hide-email-address shortcode, present in all versions up to and including 0.1. The root cause is insufficient input saniti...

CVE-2025-13884 Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inlinecss' parameter in the bg-hide-email-address shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This make...

CVE-2025-13884 Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inlinecss' parameter in the bg-hide-email-address shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This make...

EUVD-2025-202980

The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-13960 GPXpress <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...