CVE-2024-7381 Geo Controller <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajaxshortcodecache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary...

CVE-2024-8363

The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STI Buttons shortcode in all versions up to, and including, 2.02 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

WordPress Share This Image plugin <= 2.02 - Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via STI Buttons Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Share This Image versions = 2.02...

PT-2024-38969 · WordPress · Share This Image

Name of the Vulnerable Software and Affected Versions: Share This Image plugin for WordPress versions up to, and including, 2.02 Description: The issue is related to Stored Cross-Site Scripting via the plugin's STI Buttons shortcode due to insufficient input sanitization and output escaping on...

CVE-2024-3998

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 27.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

WordPress Betheme theme <= 27.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Foxyyy in WordPress Theme Betheme versions = 27.5.6...

PT-2024-38890

Name of the Vulnerable Software and Affected Versions: Clean Login plugin for WordPress versions up to, and including, 1.14.5 Description: The Clean Login plugin for WordPress is vulnerable to Local File Inclusion via the template attribute of the clean-login-register shortcode. This allows...

CVE-2024-43922 WordPress NitroPack plugin <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in NitroPack Inc. NitroPack allows Code Injection.This issue affects NitroPack: from n/a through 1.16.7...

CVE-2024-43922 WordPress NitroPack plugin <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in NitroPack Inc. NitroPack allows Code Injection.This issue affects NitroPack: from n/a through 1.16.7...

CVE-2024-1384

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auxrecentportfoliosgrid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2024-7606

The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode in all versions up to, and including, 3.2.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2024-38447 · WordPress · Front End Users

Name of the Vulnerable Software and Affected Versions: Front End Users plugin for WordPress versions up to, and including, 3.2.28 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode due to insufficient input sanitization and output escaping on...

WordPress NitroPack plugin <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin NitroPack versions = 1.16.7...

PT-2024-38484 · Devvn · The Image Hotspot

Name of the Vulnerable Software and Affected Versions: The Image Hotspot by DevVN plugin for WordPress versions 1.2.5 and earlier Description: The issue concerns PHP Object Injection via deserialization of untrusted input in the devvn ihotspot shortcode func function. This allows authenticated...

PT-2024-37912 · WordPress · Wp Last Modified Info

Name of the Vulnerable Software and Affected Versions: WP Last Modified Info plugin for WordPress versions up to, and including, 1.9.0 Description: The issue is related to Stored Cross-Site Scripting via the template attribute of the lmt-post-modified-info shortcode. This is due to insufficient...

CVE-2023-7049 Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cmfieldshow' shortcode due to missing validation on the 'jobid' user controlled key. This makes it possible for authenticated attackers...

WordPress Custom Field For WP Job Manager plugin <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode vulnerability

Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Custom Field For WP Job Manager versions = 1.2...

WordPress WP MultiTasking plugin <= 0.1.12 - Reflected XSS via Shortcode vulnerability

Reflected XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin WP MultiTasking versions = 0.1.12...

PT-2024-37694 · WordPress · Sheet To Table Live Sync For Google Sheet

Name of the Vulnerable Software and Affected Versions: The Sheet to Table Live Sync for Google Sheet plugin for WordPress versions up to, and including, 1.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's STWT Sheet Table shortcode due to insufficient input...

WordPress MDx theme <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via mdx_list_item Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mdxlistitem Shortcode vulnerability discovered by Carson Chan in WordPress Theme MDx versions = 2.0.3...