PT-2025-47437

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppb-embed shortcode in all versions up to, and including, 3.14.8 due to insufficient input sanitization and output...

PT-2025-47445

Name of the Vulnerable Software and Affected Versions Code Snippets versions prior to 3.9.1 Description The Code Snippets plugin for WordPress is susceptible to PHP Code Injection in versions up to and including 3.9.1. This occurs because the plugin utilizes extract on shortcode attributes...

PT-2025-47431

The Pet-Manager – Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

PT-2025-47436

The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wfop phone shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied default...

WordPress plugin Code Snippets 代码注入漏洞

WordPress Code Snippets plugin is a plugin designed for WordPress to conveniently add and manage custom code snippets without having to directly modify the theme files. The WordPress Code Snippets plugin suffers from a code injection vulnerability that stems from the evaluateshortcodefromflatfile...

WordPress plugin Pet-Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

WordPress plugin FunnelKit 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

WordPress Pet-Manager – Petfinder plugin <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via kwm-petfinder Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Pet-Manager – Petfinder versions = 3.6.1...

WordPress User Profile Builder plugin <= 3.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Profile Builder versions = 3.14.8...

CVE-2025-7711

The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before...

CVE-2025-12823

The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-12962

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the syndicatelocal shortcode. This is due to the use of wpremoteget instead of wpsaferemoteget which lacks protections against requests to...

CVE-2025-11868

The WordPress everviz plugin (up to version 1.1) is vulnerable to Stored Cross‑Site Scripting via the everviz shortcode attributes. The root cause is inadequate input sanitization and output escaping when building a from the type and hash attributes. This allows authenticated attackers with cont...

EUVD-2025-197932

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-11868 everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-11868 everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-12962 Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the syndicatelocal shortcode. This is due to the use of wpremoteget instead of wpsaferemoteget which lacks protections against requests to...

EUVD-2025-197946

The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-12962 Local Syndication <= 1.5a - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the syndicatelocal shortcode. This is due to the use of wpremoteget instead of wpsaferemoteget which lacks protections against requests to...

EUVD-2025-197944

The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the url parameter in the syndicatelocal shortcode. This is due to the use of wpremoteget instead of wpsaferemoteget which lacks protections against requests to...