CVE-2025-11767

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2025-11800 Surbma | MiniCRM Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11800 Surbma | MiniCRM Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11800

CVE-2025-11800 affects the Surbma | MiniCRM Shortcode plugin for WordPress. The stored XSS arises from insufficient sanitization of the id attribute in the minicrm shortcode and affects all versions up to 2.0. Exploitation requires authenticated access at contributor level or higher, with scripts...

CVE-2025-11763

The WordPress plugin Display Pages Shortcode is vulnerable to Stored XSS through the column_count parameter in the [display-pages] shortcode (versions ≤ 1.1). The flaw arises from insufficient input filtering and output escaping, enabling authenticated attackers with Contributor+ access to inject...

CVE-2025-11763 Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'columncount' parameter in the display-pages shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-11763 Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'columncount' parameter in the display-pages shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for...

EUVD-2025-198418

The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'columncount' parameter in the display-pages shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13135 HotelRunner Booking Widget <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-11764 Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11764 Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-198419

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-11799

CVE-2025-11799 (Affiliate AI Lite, WordPress): Stored Cross-Site Scripting via the asin attribute in the affiai_img shortcode. Affects all versions up to and including 1.0.1. Exploitation requires authenticated access at contributor level or higher, enabling injection of arbitrary scripts on page...

CVE-2025-11768

CVE-2025-11768 affects the WordPress Islamic Phrases plugin. It is an authenticated Stored Cross-Site Scripting vulnerability via the phrases shortcode attribute in all versions up to and including 2.12.2015. Exploitation requires contributor-level access or higher, and injected scripts run in pa...

CVE-2025-11770

The BrightTALK WordPress Shortcode plugin (WordPress) is vulnerable to Stored Cross-Site Scripting via the format attribute of the brighttalk-time shortcode in all versions up to 2.4.0. The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers wit...

CVE-2025-11767 Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2025-11770 BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-11767 Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

EUVD-2025-198398

The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2025-11767

CVE-2025-11767 affects the WordPress plugin Tips Shortcode. The vulnerability is a Stored Cross-Site Scripting (XSS) via the shortcode in all versions up to 0.2.1, caused by insufficient input sanitization and output escaping. It requires an authenticated attacker with contributor-level access o...