CVE-2025-8561

The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

EUVD-2025-34519

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

CVE-2025-10406

CVE-2025-10406 affects the BlindMatrix e-Commerce WordPress plugin. The vulnerability arises from unvalidated shortcode attributes that are used to build file includes, enabling Local File Inclusion (LFI) when exploited by authenticated users (e.g., contributors). The issue is triggered by genera...

WordPress Shortcode Button plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Shortcode Button versions = 1.1.9...

WordPress WPBakery Page Builder plugin <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode vulnerability

Stored Cross-Site Scripting via vccustomheading Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WPBakery Page Builder versions = 8.6.1...

WordPress plugin WP Google Map Plugin SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. WordPress...

WordPress plugin BlindMatrix e-Commerce 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A file inclusion vulnerability exists in the WordPress BlindMatrix e-Commerce plugin that stems from an unvalidated shortcode attribute that can be exploited by an attacker to...

WordPress plugin Quick Social Login 跨站脚本漏洞

WordPress Quick Social Login plugin is a plugin that allows users to quickly log in or sign up through social media accounts such as Facebook, Google, Twitter, LinkedIn, Slack and WordPress.com. The WordPress Quick Social Login plugin suffers from a cross-site scripting vulnerability that stems...

WordPress plugin Digiseller 跨站脚本漏洞

WordPress Digiseller plugin is a plugin that is mainly used to help users integrate digital merchandising features in their websites. A cross-site scripting vulnerability exists in the WordPress Digiseller plugin, which stems from a lack of effective filtering and escaping of the ds shortcode, an...

WordPress plugin Shortcode Button 跨站脚本漏洞

WordPress Shortcode Button plugin is a plugin or function to quickly insert buttons through a short code, mainly used to simplify the process of adding buttons to a page or post, support for custom styles and parameter settings. WordPress Shortcode Button plugin has a cross-site scripting...

PT-2025-42229

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

WordPress WordPress Live Webcam Widget & Shortcode plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WordPress Live Webcam Widget & Shortcode versions = 1.2...

WordPress Fintelligence Calculator plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress Fintelligence Calculator plugin, which stems from a lack of valid filtering and escaping of the...

WordPress BP Direct Menus plugin cross-site scripting vulnerability

WordPress BP Direct Menus plugin is a menu management plugin for WordPress, which is mainly used to realize the quick jump function of menu items. WordPress BP Direct Menus plugin has a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of the bpdmlogi...

CVE-2025-10129

The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

CVE-2025-7652

The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-10167

The Stock History & Reports Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwcstocksnapshotrestocked shortcode in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping on user supplied...