CVE-2023-4799

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-48300 Embed Privacy missing escaping for show_all attribute in opt-out shortcode

The Embed Privacy plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via embedprivacyoptout shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attribute...

WordPress Plugin Embed Privacy Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. WordPress Plugin Embed Privacy 1.8....

QR Code Tag <= 1.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its qrcodetag shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Telephone Number Linker <= 1.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its telnumlink shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Featured Image Caption < 0.8.11 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Social Feed <= 1.5.4.6 - Author+ Stored XSS

Description The plugin does not validate and escape some of its socialfeed shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Author role and above to perform Stored Cross-Site Scripting attacks...

ShortCodes UI <= 1.9.8 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

POWR < 2.2.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its powr-powr-pack shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-4889

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5741

The POWR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'powr-powr-pack' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-5741

The POWR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'powr-powr-pack' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Frontend File Manager < 22.7 - Editor+ Arbitrary File Download

Description The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as wp-config.php 1 Create new post with this shortcode - ffmwp 2 Go to new post and upload any file 3 After that go to main page of plugin for users...

Advanced iFrame < 2023.9 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-32295 · WordPress · Powr Plugin

Name of the Vulnerable Software and Affected Versions: POWR plugin for WordPress versions up to, and including, 2.1.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'powr-powr-pack' shortcode due to insufficient input sanitization and output escaping on...

CVE-2023-28495

Cross-Site Request Forgery CSRF vulnerability in MyThemeShop WP Shortcode by MyThemeShop plugin = 1.4.16 versions...

CVE-2023-28495 WordPress WP Shortcode by MyThemeShop Plugin <= 1.4.16 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in MyThemeShop WP Shortcode by MyThemeShop plugin = 1.4.16 versions...

CVE-2023-28495

CVE-2023-28495 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin WP Shortcode by MyThemeShop, version

WordPress Plugin WP Shortcode by MyThemeShop Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2023-32579

Cross-Site Request Forgery CSRF vulnerability in Designs & Code Forget About Shortcode Buttons plugin = 2.1.2 versions...