WordPress Avada | Website Builder For WordPress & eCommerce plugin <= 3.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via fusionbutton Shortcode vulnerability discovered by wesley wcraft in WordPress Plugin Fusion Builder versions = 3.11.9...

PT-2024-37206 · WordPress · Delicate Theme For Wordpress

Name of the Vulnerable Software and Affected Versions: Delicate theme for WordPress versions up to, and including, 3.5.5 Description: The issue is related to Stored Cross-Site Scripting via the link parameter within the theme's Button shortcode due to insufficient input sanitization and output...

PT-2024-37209 · WordPress · Tweaker5

Name of the Vulnerable Software and Affected Versions: Tweaker5 theme for WordPress versions up to, and including, 1.2 Description: The issue is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping. This allows authenticated attackers with...

PT-2024-37155 · WordPress · Triton Lite

Name of the Vulnerable Software and Affected Versions: Triton Lite theme for WordPress versions up to, and including, 1.3 Description: The issue is related to Stored Cross-Site Scripting via the url attribute within the theme's Button shortcode due to insufficient input sanitization and output...

PT-2024-39222 · WordPress · Email Obfuscate Shortcode

Name of the Vulnerable Software and Affected Versions: Email Obfuscate Shortcode plugin for WordPress versions up to, and including, 2.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode due to insufficient input sanitization and output...

PT-2024-36778 · WordPress · Avada

Name of the Vulnerable Software and Affected Versions: Avada | Website Builder For WordPress & eCommerce plugin for WordPress versions up to, and including, 3.11.9 Description: The issue is related to Stored Cross-Site Scripting via the plugin's fusion button shortcode due to insufficient input...

CVE-2024-8543

The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sciba shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

CVE-2024-8478

The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it...

CVE-2024-8478

The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it...

CVE-2024-8478 Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution

The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it...

CVE-2024-8478

CVE-2024-8478 affects WordPress plugins: Affiliate Super Assistent (

WordPress Affiliate Super Assistent plugin <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Francesco Carlucci in WordPress Plugin Affiliate Super Assistent versions = 1.5.3...

PT-2024-39083 · WordPress · Slider Comparison Image Before/After

Name of the Vulnerable Software and Affected Versions: The Slider comparison image before and after plugin for WordPress versions up to, and including, 0.8.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's sciba shortcode due to insufficient input sanitization an...

PT-2024-39044 · WordPress · Affiliate Super Assistent

Name of the Vulnerable Software and Affected Versions: The Affiliate Super Assistent plugin for WordPress versions up to, and including, 1.5.3 Description: The issue is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This...

CVE-2024-6859

The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-6859 WP MultiTasking <= 0.1.12 - Reflected XSS via Shortcode

The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-6859 WP MultiTasking <= 0.1.12 - Reflected XSS via Shortcode

The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-7381

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajaxshortcodecache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary...

CVE-2024-7381

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajaxshortcodecache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary...

CVE-2024-7381 Geo Controller <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajaxshortcodecache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary...