CVE-2023-1911

The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example...

CVE-2023-0891

The StagTools WordPress plugin before 2.3.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-1911

Blocksy Companion (WordPress plugin by Creative Themes) before 1.8.82 contains an authorization flaw: posts accessible via a shortcode are not confirmed public, allowing any authenticated user (e.g., subscribers) to view draft content. This exposes draft posts to users who should not have access....

WordPress plugin Blocksy Companion 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

User IP and Location < 2.2.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. clickfunnelsembed url="javascript:alert1"...

ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC clickfunnelsembed url="javascript:alert1"...

WordPress Post Shortcode Plugin <= 2.0.9 is vulnerable to Cross Site Scripting (XSS)

Software Post Shortcode Type Plugin Vulnerable versions = 2.0.9 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0526 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 623dba0711b0 Credits István Márton Require...

URL Params < 2.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC urlparam htmltag='h1' attr='a'...

Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF

The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1...

CVE-2023-0276

The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2023-0418

The Video Central for WordPress plugin through 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Cross site scripting

The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

PT-2023-16134 · WordPress · Weaver Xtreme Theme Support

Name of the Vulnerable Software and Affected Versions: Weaver Xtreme Theme Support WordPress plugin versions prior to 6.2.7 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes, which could allow users with the contributor role and above to perform...

Arconix Shortcodes <= 2.1.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Rating Widget <= 3.2.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-16256 · WordPress · The Video Central For Wordpress

Name of the Vulnerable Software and Affected Versions: The Video Central for WordPress plugin through 1.3.0 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the plugin, which could allow users with the contributor role and above to perform Store...

WordPress PowerPress 10.0 Cross Site Scripting Vulnerability

On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting XSS vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. The vulnerability enables threat...

CVE-2023-23827

Auth. contributor+ Cross-Site Scripting XSS vulnerability in Google Maps v3 Shortcode plugin = 1.2.1 versions...

WordPress Plugin Google Maps v3 Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerabilit...