Shortcodes Ultimate < 7.0.3 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its sutooltip shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC otwshortcodetabslayout...

Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC otwshortcodebutton...

PT-2024-18018 · WordPress · Profilepress

Name of the Vulnerable Software and Affected Versions: ProfilePress plugin for WordPress versions up to, and including, 4.14.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode due to insufficient input sanitization and output escapi...

PT-2024-18140 · WordPress · Profilepress

Name of the Vulnerable Software and Affected Versions: ProfilePress plugin for WordPress versions up to, and including, 4.14.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's login-password shortcode due to insufficient input sanitization and output escaping on...

PT-2024-16355 · WordPress · Booster For Woocommerce

Name of the Vulnerable Software and Affected Versions: The Booster for WooCommerce plugin for WordPress versions up to, and including, 7.1.6 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'wcj product barcode' shortcode due to insufficient input sanitization and...

PT-2024-18051 · WordPress · Page Scroll To Id

Name of the Vulnerable Software and Affected Versions: Page scroll to id plugin for WordPress versions up to, and including, 1.7.8 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin'...

PT-2024-18102 · WordPress · Wp Shortcodes Plugin

Name of the Vulnerable Software and Affected Versions: WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress versions up to, and including, 7.0.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's su tooltip shortcode due to insufficient input sanitization...

Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover

Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install Formidable...

Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure

Description The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata. PoC As a contributor, - Add shortcode to any post and specify/guess any user ID and meta key and save - Preview the post and see custom field value outputs from any user...

Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure

Description The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata. As a contributor, - Add shortcode to any post and specify/guess any user ID and meta key and save - Preview the post and see custom field value outputs from any user Examp...

Paytium: Mollie payment forms & donations < 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Description The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-1159

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

PT-2024-17122 · WordPress · Bold Page Builder

Name of the Vulnerable Software and Affected Versions: The Bold Page Builder plugin for WordPress versions up to, and including, 4.8.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's shortcodes due to insufficient input sanitization and output escaping on...

Email Encoder – Protect Email Addresses and Phone Numbers < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping on user supplied attribute...

CVE-2024-24930

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OTWthemes.Com Buttons Shortcode and Widget allows Stored XSS.This issue affects Buttons Shortcode and Widget: from n/a through 1.16...

Cross site scripting

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OTWthemes.Com Buttons Shortcode and Widget allows Stored XSS.This issue affects Buttons Shortcode and Widget: from n/a through 1.16...

CVE-2024-24930 WordPress Buttons Shortcode and Widget Plugin <= 1.16 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OTWthemes.Com Buttons Shortcode and Widget allows Stored XSS.This issue affects Buttons Shortcode and Widget: from n/a through 1.16...

CVE-2024-24930

CVE-2024-24930 is a stored XSS in the WordPress Buttons Shortcode and Widget plugin (

CVE-2024-24930 WordPress Buttons Shortcode and Widget Plugin <= 1.16 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in OTWthemes.Com Buttons Shortcode and Widget allows Stored XSS.This issue affects Buttons Shortcode and Widget: from n/a through 1.16...