CVE-2026-5505

CVE-2026-5505 affects the WordPress plugin WP-Clippy (versions up to and including 1.0.0). The vulnerability is a Stored Cross‑Site Scripting via the plugin’s clippy shortcode attributes, caused by insufficient input sanitization and output escaping. Exploitation requires at least contributor‑lev...

CVE-2026-6255

Summary: CVE-2026-6255 affects the WordPress plugin Simple Owl Shortcodes, with a Stored Cross-Site Scripting vulnerability via the num attribute of the owls_wrapper shortcode in all versions up to and including 2.1.1. The issue stems from insufficient input sanitization and output escaping on us...

CVE-2026-5247 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

CVE-2026-5247

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

CVE-2026-5247 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

CVE-2026-4730

The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. Th...

CVE-2026-4730 Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute

The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. Th...

CVE-2026-4730

The CVE concerns the WordPress plugin “Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website” (plugin name as stated in sources). It is vulnerable to Stored Cross-Site Scripting via the chartid shortcode attribute in all versions up to and including 2.1.0 due to insuf...

WordPress plugin Schedule Post Changes With PublishPress Future 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

WordPress plugin User Registration & Membership 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-36955

Name of the Vulnerable Software and Affected Versions WP-Clippy versions prior to 1.0.1 Description The WP-Clippy plugin for WordPress contains a stored cross-site scripting issue. This occurs because of insufficient input sanitization and output escaping on user-supplied attributes within the...

PT-2026-36954

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

PT-2026-36994

Name of the Vulnerable Software and Affected Versions User Registration & Membership plugin for WordPress versions prior to 5.1.5 Description A missing capability check in the embed form action function allows authenticated attackers with Contributor-level access or higher to perform unauthorized...

PT-2026-36952

Name of the Vulnerable Software and Affected Versions Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website versions prior to 2.1.1 Description The plugin is subject to Stored Cross-Site Scripting XSS, a flaw where malicious scripts are permanently stored on the targe...

CVE-2026-0703 NextMove Lite - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xlwcty_current_date' Shortcode

The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwctycurrentdate' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2026-7209 Simple Link Directory <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qcopd-directory shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as titlefontsize...

CVE-2026-7209 Simple Link Directory <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's qcopd-directory shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as titlefontsize...

CVE-2026-7209

CVE-2026-7209 concerns the WordPress plugin Simple Link Directory. The vulnerability is a Stored Cross-Site Scripting issue in the plugin’s qcopd-directory shortcode present in all versions up to 8.9.2. The root cause is insufficient input sanitization and output escaping for user-supplied shortc...

WordPress Five-Star Ratings Shortcode plugin <= 1.2.56 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Five-Star Ratings Shortcode versions = 1.2.56...

VulnCheck KEV: CVE-2025-15488

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the updateresponsivewoofreeshippingleftshortcode AJAX action that does not properly validate the contentrechdata parameter before processi...