CVE-2024-11012

The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njtnofitext AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value...

CVE-2024-12521

The Slotti Ajanvaraus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slotti-embed-ga' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10151

The Auto iFrame WordPress plugin before 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-56021

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ibnuyahya Category Post Shortcode category-post-shortcode allows Stored XSS.This issue affects Category Post Shortcode: from n/a through = 2.4...

CVE-2024-12461

The WP-Revive Adserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpreviveasync' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-10681

The The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.0.51. This is due to the software allowing users to execute an action that does not...

CVE-2024-10798

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers,...

CVE-2024-10709

The YaDisk Files WordPress plugin through 1.2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-10796

The If-So Dynamic Content Personalization plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.2.1 via the 'ifso-show-post' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers...

CVE-2024-10262

The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible fo...

CVE-2024-51890

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in geoWP Geoportail Shortcode geoportail-shortcode allows Stored XSS.This issue affects Geoportail Shortcode: from n/a through = 2.4.4...

CVE-2024-51925

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Sazzad Testimonial Slider Shortcode testimonial-slider-shortcode allows Stored XSS.This issue affects Testimonial Slider Shortcode: from n/a through = 1.1.9...

CVE-2024-51842

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Sazzad Image Carousel Shortcode image-carousel-shortcode allows DOM-Based XSS.This issue affects Image Carousel Shortcode: from n/a through = 1.2...

CVE-2024-51864

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Agnel Waghela Shortcode Collection shortcode-collection allows Stored XSS.This issue affects Shortcode Collection: from n/a through = 1.4...

CVE-2024-12335

The Avada Fusion Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handleclonepost function and the 'fusionblog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for...

CVE-2024-38679

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Yongki Agustinus Animated Typed JS Shortcode allows Stored XSS.This issue affects Animated Typed JS Shortcode: from n/a through 2.0...

CVE-2024-9578

The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to doshortcode being hooked through the commenttext filter in all versions up to and including 1.4.2. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the...

CVE-2024-11108

The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-51609

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aakif Kadiwala Emoji Shortcode emoji-shortcode allows Stored XSS.This issue affects Emoji Shortcode: from n/a through = 1.0.0...

CVE-2024-11867

The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied...