CVE-2024-13550

The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files...

CVE-2024-13548 Power Ups for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-2181 · WordPress · Wordpress Seo Friendly Accordion Faq

Name of the Vulnerable Software and Affected Versions: WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin versions up to, and including, 2.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode due to insufficient...

PT-2025-2217 · WordPress · Abc Notation

Name of the Vulnerable Software and Affected Versions: ABC Notation plugin for WordPress versions up to, and including, 6.1.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode due to insufficient input sanitization and output escaping on...

PT-2025-2214 · WordPress · Power Ups For Elementor

Name of the Vulnerable Software and Affected Versions: Power Ups for Elementor plugin for WordPress versions up to, and including, 1.2.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode due to insufficient input sanitization and output...

PT-2025-1956 · WordPress · Etsy Importer

Name of the Vulnerable Software and Affected Versions: Etsy Importer plugin for WordPress versions up to, and including, 1.4.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the product lin...

CVE-2025-24687

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lars Wallenborn Show/Hide Shortcode showhide-shortcode allows Stored XSS.This issue affects Show/Hide Shortcode: from n/a through = 1.0.0...

CVE-2025-24636

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

CVE-2025-24687 WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lars Wallenborn Show/Hide Shortcode showhide-shortcode allows Stored XSS.This issue affects Show/Hide Shortcode: from n/a through = 1.0.0...

CVE-2025-24636

CVE-2025-24636 : WordPress MachForm Shortcode (Laymance Technologies LLC) has a CSRF to Stored XSS vulnerability affecting MachForm Shortcode versions up to 1.4.1. The vulnerability is rated with CVSSv3.1 base score 7.1 (HIGH). Public references indicate the issue exists in the plugin from n/a th...

CVE-2025-24636 WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

CVE-2025-24636 WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by SOPROBRO in WordPress Plugin Show/Hide Shortcode versions = 1.0.0...

WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO in WordPress Plugin MachForm Shortcode versions = 1.4.1...

CVE-2024-13542

The WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

CVE-2024-13594

The Simple Downloads List plugin for WordPress is vulnerable to SQL Injection via the 'category' attribute of the 'neofixsdl' shortcode in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2024-13408

The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the pgcu shortcode. This makes it possible for authenticated attacker...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

CVE-2024-13583

The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2twsgwf' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...