CVE-2022-4674 Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode

The Ibtana WordPress plugin before 1.1.8.8 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...

CVE-2022-4838 Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode

The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

CVE-2022-4838 Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode

The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

CVE-2022-4833 YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode

The YourChannel: Everything you want in a YouTube plugin WordPress plugin before 1.2.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...

CVE-2022-4825 WP-ShowHide < 1.05 - Contributor+ Stored XSS via Shortcode

The WP-ShowHide WordPress plugin before 1.05 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

CVE-2022-4825 WP-ShowHide < 1.05 - Contributor+ Stored XSS via Shortcode

The WP-ShowHide WordPress plugin before 1.05 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...

CVE-2023-0143 Send PDF for Contact Form 7 < 0.9.9.2 - Contributor+ Stored XSS via Shortcode

The Send PDF for Contact Form 7 WordPress plugin before 0.9.9.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used again...

CVE-2023-0143 Send PDF for Contact Form 7 < 0.9.9.2 - Contributor+ Stored XSS via Shortcode

The Send PDF for Contact Form 7 WordPress plugin before 0.9.9.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used again...

CVE-2022-4717 Strong Testimonials < 3.0.3 - Contributor+ Stored XSS via Shortcode

The Strong Testimonials WordPress plugin before 3.0.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2023-0174 WP VR < 8.2.7 - Contributor+ Stored XSS

The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4756 YouTube Channel < 3.23.0 - Contributor+ Stored XSS via Shortcode

The My YouTube Channel WordPress plugin before 3.23.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2023-0070 ResponsiveVoice Text To Speech < 1.7.7 - Contributor+ Stored XSS

The ResponsiveVoice Text To Speech WordPress plugin before 1.7.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scriptin...

CVE-2023-0070

The CVE-2023-0070 entry concerns the ResponsiveVoice Text To Speech WordPress plugin (pre-1.7.7). Affected component: shortcode attribute handling; root cause: lack of validation/escaping of certain shortcode attributes before output. Impact: stored XSS possibility for users with the Contributor ...

CVE-2023-0154 GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS

The GamiPress WordPress plugin before 1.0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0154 GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS

The GamiPress WordPress plugin before 1.0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4824 WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode

The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4824 WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode

The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2023-0178 Annual Archive < 1.6.0 - Contributor+ Stored XSS

The Annual Archive WordPress plugin before 1.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

GigPress <= 2.3.28 - Subscriber+ SQLi

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks Run the below commands in the developer console of the web browser while being on the blog ...

WordPress plugin PDF.js Viewer 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports PHP and MySQL server set up a personal blog site. WordPress plugin is an application plug-in. A cross-site scripting vulnerability...