CVE-2025-12671

The CVE-2025-12671 entry concerns the WordPress WP-Iconics plugin with stored cross-site scripting in the wp_iconics shortcode parameters. Affected versions are listed as up to 0.0.4 (and upstream updates address 0.0.5+ per remediation notes). Root cause is insufficient input sanitization and ina...

CVE-2025-12671 WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpiconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12671 WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wpiconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-12753

The WordPress Chart Expert plugin (versions

CVE-2025-12753 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzezchart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for...

CVE-2025-12753 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzezchart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for...

CVE-2025-12672 Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'divheight' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-11805

The CVE CVE-2025-11805 concerns the WordPress plugin Skip to Timestamp (versions

CVE-2025-12754

CVE-2025-12754 (Geopost WordPress plugin) : Concrete details are provided across multiple connected sources. The Geopost plugin (WordPress) is affected in all versions up to 1.2 and is vulnerable to Stored Cross-Site Scripting via the height parameter of the geopost shortcode. The root cause is i...

CVE-2025-12010

CVE-2025-12010 – Authors List plugin (WordPress) Vulnerability: Authenticated (Contributor+) users can trigger a limited method call in the Authors_List_Shortcode class to perform sensitive information exposure, extracting data such as password hashes, email addresses, usernames, and activation k...

CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode

The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...

CVE-2025-12754 Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-12010 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode

The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from AuthorsListShortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to ca...

CVE-2025-11805 Skip to Timestamp <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Skip to Timestamp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skipto' shortcode in all versions up to, and including, 1.4.4. This is due to insufficient input sanitization and output escaping on the 'time' attribute. This makes it possible for authenticated...

CVE-2025-12644

The CVE-2025-12644 issue affects the WordPress plugin Nonaki – Drag and Drop Email Template builder and Newsletter (versions up to and including 1.0.11). It is a stored XSS via the nonaki shortcode caused by insufficient input sanitization and output escaping of user-provided custom field values,...

CVE-2025-12644 Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields

The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom...

CVE-2025-11863 My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The My Geo Posts Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mygeocity' shortcode in all versions up to, and including, 1.2. This is due to the plugin not properly sanitizing user input or escaping output of the 'default' shortcode attribute. This makes it...

CVE-2025-11829

CVE-2025-11829 relates to the Five9 Live Chat plugin for WordPress. The WordPress plugin versions through 1.1.2 are vulnerable to Stored Cross-Site Scripting via the toolbar attribute in the [five9-chat] shortcode, due to insufficient input sanitization and output escaping. The Wordfence report (...

CVE-2025-12652

CVE-2025-12652 — Ungapped Widgets (WordPress) is a stored XSS vulnerability in the ungapped-form shortcode, exploitable via the prefillvalues parameter. Reports indicate exploitation requires authenticated access at contributor level or higher, with the attacker able to inject scripts that run fo...

CVE-2025-12652 Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This mak...