WordPress Authors List plugin <= 2.0.6 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by abrahack in WordPress Plugin Authors List versions = 2.0.6...

CVE-2025-1560

The WOW Entrance Effects WEE! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2024-13832

The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.8 via the 'utelementor' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with...

CVE-2024-10563

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-12820

The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MKGD' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-1757

CVE-2025-1757 refers to WordPress Portfolio Builder – Portfolio Gallery (Uber Grid) with Stored XSS via pfhub_portfolio and pfhub_portfolio_portfolio shortcodes in versions up to 1.1.7. The Red Hat and CIRCL entries corroborate the description. The vulnerability requires authenticated access (Con...

WordPress plugin Ultra Addons Lite for Elementor 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2025-9075 · WordPress · Secupress Free

Name of the Vulnerable Software and Affected Versions: SecuPress Free — WordPress Security plugin versions up to, and including, 2.2.5.3 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the...

PT-2025-9064 · WordPress · Product Catalog Simple

Name of the Vulnerable Software and Affected Versions: Product Catalog Simple plugin for WordPress versions prior to 1.7.12 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the show products shortcode. This allows authenticated...

PT-2025-9079 · WordPress · Wow Entrance Effects

Name of the Vulnerable Software and Affected Versions: WOW Entrance Effects WEE! plugin for WordPress versions up to, and including, 0.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'wee' shortcode, allowing...

PT-2025-9071 · WordPress · Ultra Addons Lite For Elementor

Name of the Vulnerable Software and Affected Versions: Ultra Addons Lite for Elementor plugin for WordPress versions up to, and including, 1.1.8 Description: The issue allows authenticated attackers with Contributor-level access and above to extract data from password-protected, private, or draft...

PT-2025-9057 · WordPress · Mk Google Directions

Name of the Vulnerable Software and Affected Versions: MK Google Directions plugin for WordPress versions up to and including 3.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'MKGD' shortcode, allowing authenticated...

WordPress Traveler theme <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by István Márton in WordPress Theme Traveler versions = 3.1.8...

CVE-2024-6261

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

WordPress ThemeMakers Stripe Checkout plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin ThemeMakers Stripe Checkout versions = 1.0.1...

WordPress ThemeMakers PayPal Express Checkout plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin ThemeMakers PayPal Express Checkout versions = 1.1.9...

WordPress WooCommerce Cart Count Shortcode plugin < 1.1.0 - Contributor+ XSS vulnerability

Contributor+ XSS vulnerability discovered by Bob Matyas in WordPress Plugin WooCommerce Cart Count Shortcode versions 1.1.0...

CVE-2024-10563

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-10563

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2024-12308

The Logo Slider WordPress plugin before 4.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...