Cross site scripting

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5291 Blog Filter <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5357 Instagram for WordPress <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-38396 WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Alain Gonzalez plugin = 3.1.2 versions...

CVE-2023-38396 WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Alain Gonzalez plugin = 3.1.2 versions...

CVE-2023-5334 WP Responsive header image slider <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'spresponsiveslider' shortcode in versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress Plugin google-map-shortcode Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

PT-2023-32053 · WordPress · Wp Responsive Header Image Slider

Name of the Vulnerable Software and Affected Versions: WP Responsive header image slider plugin for WordPress versions up to, and including, 3.2.1 Description: The issue is related to Stored Cross-Site Scripting via the 'sp responsiveslider' shortcode due to insufficient input sanitization and...

CVE-2023-5201

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...

CVE-2023-5295

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

Remote code execution

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...

CVE-2023-5201 OpenHook <= 4.3.0 - Authenticated (Subscriber+) Remote Code Execution via Shortcode

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...

CVE-2023-5201 OpenHook <= 4.3.0 - Authenticated (Subscriber+) Remote Code Execution via Shortcode

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the php shortcode setting to be...

PT-2023-31908 · WordPress · Openhook

Name of the Vulnerable Software and Affected Versions: OpenHook plugin for WordPress versions up to, and including, 4.3.0 Description: The issue allows authenticated attackers with subscriber-level permissions or above to execute code on the server via the php shortcode. This requires the php...

CVE-2023-5232

The Font Awesome More Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'icon' shortcode in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5233

The Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'fawesome' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-5230

The TM WooCommerce Compare & Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'tmwoowishlisttable' shortcode in versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Font Awesome Integration <= 5.0 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not sufficiently sanitize and escape user-supplied attributes in the 'fawesome' shortcode, which can lead to the injection of arbitrary web scripts on pages accessed by users...

CVE-2023-5135

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2023-31959 · WordPress · Tm Woocommerce Compare & Wishlist

Name of the Vulnerable Software and Affected Versions: TM WooCommerce Compare & Wishlist plugin for WordPress versions up to, and including, 1.1.7 Description: The issue is related to Stored Cross-Site Scripting via the 'tm woo wishlist table' shortcode due to insufficient input sanitization and...