CVE-2024-13323

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-2109 · WordPress · Wp Booking Calendar

Name of the Vulnerable Software and Affected Versions: WP Booking Calendar versions up to and including 10.9.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'booking' shortcode due to insufficient input sanitization and output escaping on user-supplied...

Silverstripe Asset Admin Module 跨站脚本漏洞

Silverstripe Asset Admin Module is an open source asset management module from Silverstripe. A cross-site scripting vulnerability exists in Silverstripe Asset Admin Module, which stems from the fact that HTML is not sanitized until the shortcode is replaced, allowing execution of script loads in...

WordPress CF Internal Link Shortcode 1.1.0 SQL Injection

WordPress CF Internal Link Shortcode plugin versions 1.1.0 and below suffer from a remote SQL injection vulnerability. CVE-2024-12404 CF Internal Link Shortcode = 1.1.0 - Unauthenticated SQL Injection Description The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection v...

WordPress Booking Calendar plugin <= 10.9.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode vulnerability discovered by Asaf Mozes in WordPress Plugin Booking Calendar versions = 10.9.2...

CVE-2024-12404

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2024-12404 CF Internal Link Shortcode <= 1.1.0 - Unauthenticated SQL Injection

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2024-12404 CF Internal Link Shortcode <= 1.1.0 - Unauthenticated SQL Injection

The CF Internal Link Shortcode plugin for WordPress is vulnerable to SQL Injection via the 'posttitle' parameter in all versions up to, and including, 1.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2024-12404

CVE-2024-12404 : CF Internal Link Shortcode for WordPress is vulnerable to an unauthenticated SQL Injection via the post_title parameter in versions up to 1.1.0 due to insufficient escaping and poor query preparation. This could allow an attacker to append additional SQL commands to existing quer...

WordPress plugin CF Internal Link Shortcode SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A SQL injection vulnerability exists in WordPress plug...

PT-2025-1881 · WordPress · The Dominion – Domain Checker

Name of the Vulnerable Software and Affected Versions: The Dominion – Domain Checker for WPBakery plugin for WordPress versions up to, and including, 2.2.2 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied...

PT-2025-1688 · WordPress · Wp Spid Italia

Name of the Vulnerable Software and Affected Versions: WP SPID Italia plugin for WordPress versions up to, and including, 2.9 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode, allowing authenticated...

PT-2025-1753 · WordPress · The Unlimited Theme Addon For Elementor/Woocommerce

Name of the Vulnerable Software and Affected Versions: The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress versions up to, and including, 1.2.1 Description: The issue allows authenticated attackers with Contributor-level access and above to extract data from private or...

WordPress CF Internal Link Shortcode plugin <= 1.1.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Frissi0n in WordPress Plugin CF Internal Link Shortcode versions = 1.1.0...

PT-2025-1862 · WordPress · Ai Scribe

Name of the Vulnerable Software and Affected Versions: AI Scribe plugin for WordPress versions up to, and including, 2.3 Description: The issue is related to SQL Injection via the template id parameter of the article builder generate data shortcode. This is due to insufficient escaping on the...

PT-2025-1918 · WordPress · Yumpu E-Paper

Name of the Vulnerable Software and Affected Versions: Yumpu E-Paper publishing plugin for WordPress versions up to, and including, 3.0.8 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'YUMPU' shortcode due to insufficient input sanitization and output escaping ...

PT-2025-1866 · WordPress · Files Download Delay

Name of the Vulnerable Software and Affected Versions: Files Download Delay plugin for WordPress versions up to, and including, 1.0.9 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the...

PT-2025-1958 · WordPress · Searchie

Name of the Vulnerable Software and Affected Versions: Searchie plugin for WordPress versions up to, and including, 1.17.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's sio embed media shortcode due to insufficient input sanitization and output escaping on...

WordPress Auto iFrame plugin < 2.0 - Contributor+ XSS via Shortcode vulnerability

Contributor+ XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin Auto iFrame versions 2.0...

CVE-2024-10151

The Auto iFrame WordPress plugin before 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...