8961 matches found
Simple File Downloader <= 1.0.4 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a Contributor+ create a new post and...
Opening Hours <= 2.3.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: A Set needs to be present op-is-op...
Easy Social Box < 4.1.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC easy-fb-like-box locale='"; alert1; var...
Post Views Count <= 3.0.2 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a Contributor+ create a new post and...
Loan Comparison < 1.5.2 - Reflected XSS via shortcode
The plugin does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL. PoC Create a page "Test" containing the shortcode "loancomparison",...
Login Logout Menu <= 1.3.3 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks login edittag=' onmouseover="alert1"'...
Loan Comparison < 1.5.3 - Contributor+ Stored XSS via shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks loancomparison slider='" onmouseover="alert1...
Opening Hours <= 2.3.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: A Set needs to be present op-is-open...
Easy Social Box < 4.1.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks easy-fb-like-box locale='"; alert1; var xss=...
Loan Comparison < 1.5.2 - Reflected XSS via shortcode
The plugin does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL. Create a page "Test" containing the shortcode "loancomparison", then...
Page Builder: Live Composer < 1.5.23 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC dslcnotification color='red"...
Shortcode for Font Awesome < 1.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC fa set='" onmouseover="alert1"...
Timed Content < 2.73 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC timed-content-client hide="10:00:'...
Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC wcpscwcpdtslider design='" onmouseover="alert1"'...
Markup <= 4.8.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wp-structuring-markup-breadcrumb class=...
Page Builder: Live Composer < 1.5.23 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. dslcnotification color='red"...
Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. wcpscwcpdtslider design='" onmouseover="alert1"'...
Markup <= 4.8.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wp-structuring-markup-breadcrumb class='"...
CVE-2023-23687
Auth. Stored Cross-Site Scripting XSS vulnerability in Youtube shortcode = 1.8.5 versions...
CVE-2023-23687 WordPress Youtube shortcode Plugin <= 1.8.5 is vulnerable to Cross Site Scripting (XSS)
Auth. Stored Cross-Site Scripting XSS vulnerability in Youtube shortcode = 1.8.5 versions...