CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/05/13 2:21 p.m.•4 views

CVE-2026-7661

The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the box shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

RedhatCVE•added 2026/05/13 2:21 p.m.•6 views

Exploits0References1

CVE-2026-6247

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

RedhatCVE•added 2026/05/13 2:21 p.m.•7 views

Exploits0References1

CVE-2026-4920

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

Patchstack•added 2026/05/13 12:20 p.m.•4 views

Exploits0References1

WordPress Advanced Custom Fields: Extended plugin <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Kishan Vyas in WordPress Plugin ACF Extended versions = 0.9.2.3...

6.5CVSS5.8AI score0.00266EPSS

Exploits0References1Affected Software1

ATTACKERKB•added 2026/05/13 7:44 a.m.•3 views

CVE-2025-14767

The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the wpcbmbestseller shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

Vulnrichment•added 2026/05/13 7:44 a.m.•3 views

CVE-2025-14767 WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute

CVE•added 2026/05/13 7:44 a.m.•16 views

CVE-2025-14767

CVE-2025-14767 affects the WordPress plugin WPC Badge Management for WooCommerce (versions ≤ 3.1.6). The vulnerability is a Stored Cross-Site Scripting via the 'text' attribute of the wpcbm_best_seller shortcode, caused by insufficient input sanitization and output escaping. Authenticated attacke...

NVD•added 2026/05/13 5:16 a.m.•4 views

CVE-2026-6962

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...

6.4CVSS0.00193EPSS

EUVD•added 2026/05/13 4:26 a.m.•6 views

EUVD-2026-29898

6.4CVSS6AI score0.00193EPSS

Vulnrichment•added 2026/05/13 4:26 a.m.•3 views

CVE-2026-6962 Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4CVSS6AI score0.00193EPSS

Positive Technologies•added 2026/05/13 12:0 a.m.•6 views

PT-2026-40581

The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the wpcbm best seller shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

NVD•added 2026/05/12 11:16 p.m.•13 views

CVE-2025-15463

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This make...

6.5CVSS0.00266EPSS

Cvelist•added 2026/05/12 10:24 p.m.•35 views

CVE-2025-15463 Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution

6.5CVSS0.00266EPSS

EUVD•added 2026/05/12 10:24 p.m.•6 views

EUVD-2025-209809

6.5CVSS6.2AI score0.00266EPSS

ATTACKERKB•added 2026/05/12 10:24 p.m.•7 views

CVE-2025-15463

6.5CVSS6.2AI score0.00266EPSS

CVE•added 2026/05/12 10:24 p.m.•16 views

CVE-2025-15463

The CVE-2025-15463 entry concerns the Advanced Custom Fields: Extended WordPress plugin, affected versions up to 0.9.2.3. The vulnerability arises from code that executes do_shortcode without proper value validation, allowing unauthenticated attackers to execute arbitrary shortcodes. No public ex...

6.5CVSS6.2AI score0.00266EPSS

EUVD•added 2026/05/12 9:31 a.m.•5 views

EUVD-2026-29421

EUVD•added 2026/05/12 9:31 a.m.•6 views

EUVD-2026-29420

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00242EPSS

EUVD•added 2026/05/12 9:31 a.m.•4 views

EUVD-2026-29403

The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...