8956 matches found
CVE-2026-8899 Auto Thumbnails <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athnthumbnail...
CVE-2026-8040
CVE-2026-8040 affects the WordPress plugin faq-shortcode (versions
CVE-2026-8886
CVE-2026-8886 affects the WordPress plugin hk_shortcode (v
CVE-2026-8886 hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
The hkshortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankongpostshorttitleplane...
CVE-2026-8040 faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-8886
The hkshortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankongpostshorttitleplane...
CVE-2026-8040
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
EUVD-2026-32092
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-8040 faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-8886 hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
The hkshortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankongpostshorttitleplane...
CVE-2026-8847
The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...
CVE-2026-8844
CVE-2026-8844 affects the WordPress plugin Responsive Check (Real-time version) up to 0.0.3. The vulnerability stems from the rspc_check_shortcode() function: the shortcode attributes url and button are echoed into iframe src attributes without proper escaping (esc_attr/esc_url), causing stored X...
CVE-2026-8847 Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...
CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...
CVE-2026-8847
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...
CVE-2026-8844
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...
EUVD-2026-32089
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...
EUVD-2026-32088
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...
CVE-2026-8847 Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...
CVE-2026-8894
The CVE-2026-8894 entry describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin iWR Tooltip (versions up to 1.0). The flaw arises from insufficient input sanitization and output escaping in the iwr_tooltip() shortcode handler, where the title attribute is concatenated direct...