8962 matches found
CVE-2024-11606
The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2024-10536
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handleblockshortcodeexport function in all versions up to, and including, 6.0.0. This...
CVE-2024-11606
CVE-2024-11606 : The Tabs Shortcode WordPress plugin (affected until version 2.0.2) does not validate or escape certain shortcode attributes before echoing them in the rendered page. This can permit users with the contributor role or higher to trigger a Stored Cross-Site Scripting (XSS) vulnerabi...
CVE-2024-11606 Tabs Shortcode <= 2.0.2 - Contributor+ XSS via Shortcode
The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2024-11606 Tabs Shortcode <= 2.0.2 - Contributor+ XSS via Shortcode
The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2024-10536 FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor <= 6.0.0 - Missing Authorization to Authenticated (Subscriber+) Shortcode Export
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handleblockshortcodeexport function in all versions up to, and including, 6.0.0. This...
CVE-2024-10536 FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor <= 6.0.0 - Missing Authorization to Authenticated (Subscriber+) Shortcode Export
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handleblockshortcodeexport function in all versions up to, and including, 6.0.0. This...
CVE-2024-10536
CVE-2024-10536 concerns the FancyPost plugin for WordPress, where a missing capability check in handle_block_shortcode_export() allows authenticated users with Subscriber-level access and above to export shortcodes. The issue affects all versions up to 6.0.0 as stated in the description. Public d...
CVE-2024-9702 Social Rocket <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This...
CVE-2024-9702 Social Rocket <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This...
CVE-2024-12439 Marketplace Items <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marketplace' Shortcode
The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2024-12207 Toggles Shortcode and Widget <= 1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Toggles Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2024-12462 YOGO Booking <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The YOGO Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yogo-calendar' shortcode in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
CVE-2024-12528
The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypollresults' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on use...
CVE-2024-12419
The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...
CVE-2024-12419
CVE-2024-12419 affects the Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler. All versions up to 1.7.0 allow unauthenticated users to trigger arbitrary shortcode execution by calling an action that does not validate the value before do_shortcode. This also enables Reflected Cross-...
CVE-2024-12419 Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.0 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting
The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...
CVE-2024-12419 Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting
The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before...
PT-2025-1666 · WordPress · Tabs Shortcode
Name of the Vulnerable Software and Affected Versions: Tabs Shortcode WordPress plugin versions 2.0.2 and earlier Description: The issue concerns the Tabs Shortcode WordPress plugin, which does not validate and escape some of its shortcode attributes before outputting them back in a page or post...
PT-2025-1710 · WordPress · Slider Pro Lite
Name of the Vulnerable Software and Affected Versions: Slider Pro Lite plugin for WordPress versions up to, and including, 1.4.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's sliderpro shortcode. This allows...