CVE-2025-11365 WP Google Map Plugin <= 1.0 - Authenticated (Contributor+) SQL Injection

The WP Google Map Plugin plugin for WordPress is vulnerable to blind SQL Injection via the 'id' parameter of the 'googlemap' shortcode in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

CVE-2025-10135

CVE-2025-10135 (WP ViewSTL &lt;= 1.0) stores cross-site scripting via the WordPress plugin’s viewstl shortcode. Authenticated attackers with contributor-level access or higher can inject scripts that execute for page visitors who load the injected page. The issue arises from insufficient input sa...

CVE-2025-10135 WP ViewSTL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2025-10135 WP ViewSTL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2025-10132

The CVE-2025-10132 issue affects the Dhivehi Text WordPress plugin (versions

CVE-2025-11722

The CVE CVE-2025-11722 affects the WordPress plugin “Woocommerce Category and Products Accordion Panel” (accordion-panel-for-category-and-products). The vulnerability is Local File Inclusion via the categoryaccordionpanel shortcode in all versions up to 1.0, exploitable by authenticated attackers...

CVE-2025-10132 Dhivehi Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2025-34554

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11722 Category and Products Accordion Panel <= 1.0 - Authenticated (Contributor+) Local File Inclusion

The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-10132 Dhivehi Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-10575

CVE-2025-10575 : WordPress plugin WP jQuery Pager contains an SQL Injection via the ids shortcode attribute, handled by WPJqueryPaged::get_gallery_page_imgs(). Affected in all versions up to and including 1.4.0 due to insufficient escaping and lack of prepared statements. Exploitation requires au...

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::getgallerypageimgs function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of...

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::getgallerypageimgs function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of...

EUVD-2025-34565

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2025-10730

The CVE-2025-10730 entry concerns the WordPress plugin Wp tabber widget. Public details confirm an SQL Injection flaw in all versions up to 4.0 via the wp-tabber-widget shortcode, enabling authenticated attackers with Contributor-level access and above to append SQL statements to existing queries...

CVE-2025-10730 Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2025-10139

CVE-2025-10139 concerns the WordPress plugin WP BookWidgets. According to Wordfence, it is vulnerable to a stored cross-site scripting (XSS) condition via the plugin’s bw_link shortcode in versions up to and including 0.9, caused by insufficient input sanitization and output escaping of user-supp...

CVE-2025-11161

CVE-2025-11161 affects the WPBakery Page Builder plugin for WordPress (versions up to 8.6.1). The vulnerability is a Stored Cross-Site Scripting (XSS) in the vc_custom_heading shortcode due to insufficient restriction of allowed HTML tags and improper sanitization of font_container attributes. Th...

EUVD-2025-34533

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...

CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...