CVE-2024-1357

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auxtimeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as...

PT-2024-17969 · WordPress · Phlox

Name of the Vulnerable Software and Affected Versions: Shortcodes and extra features for Phlox theme plugin for WordPress versions up to, and including, 2.15.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's aux timeline shortcode due to insufficient input...

WordPress Advance Search plugin <= 1.1.6 - Shortcode Deletion via CSRF vulnerability

Shortcode Deletion via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin Advanced Search versions = 1.1.6...

WordPress GiveWP – Donation Plugin and Fundraising Platform plugin <= 3.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin GiveWP versions = 3.6.1...

WordPress Slider, Gallery, and Carousel by MetaSlider plugin <= 3.70.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via metaslider Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via metaslider Shortcode vulnerability discovered by wesley wcraft in WordPress Plugin Responsive Slider by MetaSlider versions = 3.70.0...

CVE-2024-1846

The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-6067

The WP User Profile Avatar WordPress plugin through 1.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...

CVE-2023-6067

The WP User Profile Avatar WordPress plugin through 1.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...

CVE-2024-1846 Responsive Tabs < 4.0.7 - Contributor+ Stored XSS

The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-2739 Advance Search <= 1.1.6 - Shortcode Deletion via CSRF

The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

LiveJournal Shortcode <= 1.1.1 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Add this shortcode to a page...

LiveJournal Shortcode <= 1.1.1 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add this shortcode to a page: lj...

PT-2024-14872 · WordPress · Wp User Profile Avatar

Name of the Vulnerable Software and Affected Versions: WP User Profile Avatar WordPress plugin versions 1.0.1 and earlier Description: The issue is related to the WP User Profile Avatar WordPress plugin, which does not validate and escape some of its shortcode attributes before outputting them ba...

PT-2024-22206 · WordPress · The Shopkeeper Extender

Name of the Vulnerable Software and Affected Versions: The Shopkeeper Extender plugin for WordPress versions up to, and including, 3.5 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'image slide' shortcode, allowi...

PT-2024-18451 · WordPress · Givewp

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions up to, and including, 3.6.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'give form' shortcode due to insufficient input sanitization and output...

CVE-2024-32109

Cross-Site Request Forgery CSRF vulnerability in Julien Berthelot / MPEmbed.Com WP Matterport Shortcode allows Cross Site Request Forgery.This issue affects WP Matterport Shortcode: from n/a through 2.1.9...

CVE-2024-32109 WordPress WP Matterport Shortcode plugin <= 2.1.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Julien Berthelot / MPEmbed.Com WP Matterport Shortcode allows Cross Site Request Forgery.This issue affects WP Matterport Shortcode: from n/a through 2.1.9...

CVE-2024-32109

CVE-2024-32109 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Matterport Shortcode. Affected: Matterport Shortcode versions up to 2.1.9 (n/a through 2.1.9). CVSS 3.1 base score 4.3 (Medium). No patch/remediation details are provided in the supplied documents; exploitation status i...

WordPress WP Matterport Shortcode plugin <= 2.1.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin WP Matterport Shortcode versions = 2.1.9...

CVE-2024-3285

The Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'metaslider' shortcode in all versions up to, and including, 3.70.0 due to insufficient input sanitization and output escaping on us...