CVE-2022-4471

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4448

The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4458

The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against hig...

Design/Logic Flaw

The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their...

Cross site scripting

The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

Cross site scripting

Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Cross site scripting

The Lightbox Gallery WordPress plugin before 0.9.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4759 GigPress < 2.3.28 - Contributor+ Stored XSS via Shortcode

The GigPress WordPress plugin before 2.3.28 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0177 Social Like Box and Page by WpDevArt < 0.8.41 - Contributor+ Stored XSS

The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2022-4830 Paid Memberships Pro < 2.9.9 - Contributor+ Stored XSS via Shortcode

The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4830 Paid Memberships Pro < 2.9.9 - Contributor+ Stored XSS via Shortcode

The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4488 Widgets on Pages < 1.8.0 - Contributor+ Stored XSS

The Widgets on Pages WordPress plugin before 1.8.0 does not validate and escape its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege use...

CVE-2022-4682 Lightbox Gallery < 0.9.5 - Contributor+ Stored XSS via Shortcode

The Lightbox Gallery WordPress plugin before 0.9.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0034 JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode

The JetWidgets For Elementor WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2023-0166 PickPlugins Product Slider for WooCommerce < 1.13.42 - Contributor+ Stored XSS

The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...

CVE-2022-4656 WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode

The WP Visitor Statistics Real Time Traffic WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...

CVE-2022-4656 WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode

The WP Visitor Statistics Real Time Traffic WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...

CVE-2023-0275 Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS

The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2023-0061 Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS

The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Si...

CVE-2023-0333

The CVE-2023-0333 entry concerns the TemplatesNext ToolKit WordPress plugin prior to version 3.2.9. The issue is that the plugin does not validate some shortcode attributes before using them to generate HTML tags, enabling Stored Cross-Site Scripting (XSS) when an attacker with Contributor privil...