CVE-2024-13499

The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipressdoshortcode function in all versions up to, and including, 7.2.1. This is due to the software allowing users to...

CVE-2024-13453

The The Contact Form & SMTP Plugin for WordPress by PirateForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.6.0. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-8623

The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. Thi...

CVE-2024-8478

The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it...

CVE-2024-8481

The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.4. This is due to the plugin adding the filter addfilter'commenttext', 'doshortcode'; which will run all shortcodes in comments. This makes it possible for...

CVE-2024-8271

The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-8479

The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter addfilter'commenttext', 'doshortcode'; which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to...

CVE-2024-53736

Cross-Site Request Forgery CSRF vulnerability in Jason Grim Custom Shortcode Sidebars custom-shortcode-sidebars allows Stored XSS.This issue affects Custom Shortcode Sidebars: from n/a through = 1.2...

PT-2025-2200 · WordPress · B Slider- Gutenberg Slider Block

Name of the Vulnerable Software and Affected Versions: The B Slider- Gutenberg Slider Block for WP plugin for WordPress versions up to, and including, 1.9.5 Description: The issue allows authenticated attackers with Contributor-level access and above to extract data from private posts they should...

PT-2025-1736 · WordPress · Medical Addon For Elementor

Name of the Vulnerable Software and Affected Versions: Medical Addon for Elementor plugin for WordPress versions up to, and including, 1.6.2 Description: The issue allows authenticated attackers with Contributor-level access and above to read the content of draft, pending, and private posts due t...

WordPress B Slider- Gutenberg Slider Block for WP plugin <= 1.1.23 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode vulnerability

Authenticated Contributor+ Private Post Disclosure via bsb-slider Shortcode vulnerability discovered by Nishiv in WordPress Plugin B Slider versions = 1.1.23...

WordPress Medical Addon for Elementor plugin <= 1.6.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Exposure via Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Medical Addon for Elementor versions = 1.6.2...

WordPress BoomBox Theme Extensions plugin <= 1.8.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by István Márton in WordPress Plugin BoomBox Theme Extensions versions = 1.8.0...

WordPress Eventer plugin <= 3.9.9.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by István Márton in WordPress Plugin Eventer versions = 3.9.9.4...

WordPress BP Better Messages plugin <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Bassem Essam in WordPress Plugin BP Better Messages versions = 2.6.9...

CVE-2024-11132

The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level an...

WordPress Embed RSS plugin <= 3.1 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by muhammad yudha in WordPress Plugin Embed RSS versions = 3.1...

CVE-2025-22677 WordPress Uix Shortcodes plugin <= 2.0.3 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in UIUX Lab Uix Shortcodes uix-shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uix Shortcodes: from n/a through = 2.0.3...

WordPress Uix Shortcodes plugin <= 2.0.3 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by theviper17 Patchstack Alliance in WordPress Plugin Uix Shortcodes versions = 2.0.3...

CVE-2024-13612

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bettermessageslivechatbutton' shortcode in all versions up to, and including, 2.6.9 due to insufficient input...