CVE-2024-8746

The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mkfilefoldermanagershortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if grant...

PT-2024-39397 · WordPress · The Popup Builder

Name of the Vulnerable Software and Affected Versions: The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress versions up to 1.3.5 Description: The issue allows arbitrary shortcode execution via the wp ajax nopriv shortcode Api Add AJAX action. This is due to the...

WordPress WP Popup Builder – Popup Forms and Marketing Lead Generation plugin <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Francesco Carlucci in WordPress Plugin WP Popup Builder versions = 1.3.5...

CVE-2024-9837 AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution

The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-9837 AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution

The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

CVE-2024-9837

CVE-2024-9837 – AADMY WordPress plugin : The plugin “Add Auto Date Month Year Into Posts” is vulnerable in all versions up to 2.0.1 due to improper validation before running do_shortcode, enabling unauthenticated arbitrary shortcode execution. Impact: attackers can run arbitrary shortcodes, poten...

WordPress AADMY plugin <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Francesco Carlucci in WordPress Plugin AADMY versions = 2.0.1...

PT-2024-39877 · WordPress · Aadmy – Add Auto Date Month Year Into Posts

Name of the Vulnerable Software and Affected Versions: The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not...

WordPress Rescue Shortcodes plugin <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Rescue Shortcodes versions = 2.8...

WordPress Social Sharing (by Danny) plugin <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Social Sharing by Danny versions = 1.3.7...

CVE-2024-9704

The Social Sharing by Danny plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvksocialsharing' shortcode in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

CVE-2024-9704 Social Sharing (by Danny) <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Social Sharing by Danny plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvksocialsharing' shortcode in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

PT-2024-39771 · WordPress · Social Sharing

Name of the Vulnerable Software and Affected Versions: Social Sharing by Danny plugin for WordPress versions up to, and including, 1.3.7 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the dvk social sharing shortcode. This...

CVE-2024-9051 WP Ultimate Post Grid <= 3.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode

The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-9543 Powerpress <= 11.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via skipto Shortcode

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-9581

The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2024-8987

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youzifymedia shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and outpu...

CVE-2024-9581

CVE-2024-9581 affects the WordPress plugin Shortcodes AnyWhere. The vulnerability is an unauthenticated arbitrary shortcode execution via do_shortcode due to improper value validation in all versions up to 1.0.1. Connected sources confirm this as an active issue (unpatched in Wordfence/NVD entrie...

PT-2024-39688 · Blubrry · Powerpress Podcasting Plugin

Name of the Vulnerable Software and Affected Versions: PowerPress Podcasting plugin by Blubrry plugin for WordPress versions up to, and including, 11.9.18 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode due to insufficient input sanitization an...

WordPress Shortcodes AnyWhere plugin <= 1.0.1 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Francesco Carlucci in WordPress Plugin Shortcodes AnyWhere versions = 1.0.1...