PT-2023-9953 · WordPress · Halulu Simple-Download-Button-Shortcode Plugin

Name of the Vulnerable Software and Affected Versions: Halulu simple-download-button-shortcode Plugin version 1.0 Description: A vulnerability has been found in the Halulu simple-download-button-shortcode Plugin on WordPress. The issue affects an unknown function of the file simple-download-butto...

WordPress plugin WP Matterport Shortcode Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

PT-2023-30035 · WordPress · Simple Posts Ticker

Name of the Vulnerable Software and Affected Versions: The Simple Posts Ticker WordPress plugin versions prior to 1.1.6 Description: The issue concerns the lack of validation and escaping of certain shortcode attributes in the plugin, which could allow users with the contributor role and above to...

PT-2023-28628 · WordPress · Wp Matterport Shortcode

Name of the Vulnerable Software and Affected Versions: WP Matterport Shortcode WordPress plugin versions prior to 2.1.8 Description: The issue is related to the WP Matterport Shortcode WordPress plugin, which does not validate and escape some of its shortcode attributes before outputting them bac...

CVE-2023-4995

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution

Description WordPress does not restrict which shortcode can be excuted via the parsemediashortcode AJAX action, allowing any authenticated user, such as subscriber to execute arbitrary shortcodes...

WordPress Core 6.3.1 XSS / DoS / Arbitrary Shortcode Execution

The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit. WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While...

WordPress 6.3.2 Security Release – What You Need to Know

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeove...

CVE-2023-5470

The Etsy Shop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'etsy-shop' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

WordPress CPT Shortcode Generator Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software CPT Shortcode Generator Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-45643 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 729ac653cedf Credits Lokesh Dachepal...

WordPress Remote Content Shortcode Plugin <= 1.5 is vulnerable to Local File Inclusion

Software Remote Content Shortcode Type Plugin Vulnerable versions = 1.5 Fixed in N/A OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2023-45652 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 6e56401bc4b5 Credits Mika Required privilege Contributor...

WordPress CPT Shortcode Generator Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Software CPT Shortcode Generator Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-45644 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 8bfa1d036efa Credits Lokesh Dachepalli...

WP Responsive header image slider <= 3.2.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Improper Input Validation

Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Improper Input Validation due to insufficient input validation in the parsemediashortcode AJAX function. An attacker can manipulate the shortcode outpu...

Google Map Shortcode <= 3.1.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-5468

The Slick Contact Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcscf-link' shortcode in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-5468 Slick Contact Forms <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Slick Contact Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcscf-link' shortcode in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

PT-2023-32123 · WordPress · Slick Contact Forms

Name of the Vulnerable Software and Affected Versions: Slick Contact Forms plugin for WordPress versions up to, and including, 1.3.7 Description: The issue is related to Stored Cross-Site Scripting via the 'dcscf-link' shortcode due to insufficient input sanitization and output escaping on...

Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Po...

CVE-2023-5357

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...