CVE-2026-3659 WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

CVE-2026-3659

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-5717

The CVE-2026-5717 entry concerns the WordPress plugin VI: Include Post By. Affected: all versions up to 0.4.200706. Issue: Stored Cross-Site Scripting via the class_container attribute of the include-post-by-cat shortcode, caused by insufficient input sanitization and output escaping on user-supp...

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

WordPress Coachific Shortcode plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'userhash' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'userhash' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Coachific Shortcode versions = 1.0...

WordPress WP Circliful plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin WP Circliful versions = 1.2...

WordPress Power Charts plugin <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Power Charts versions = 0.1.0...

WordPress VI: Include Post By plugin <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'classcontainer' Shortcode Attribute vulnerability discovered by MAJidox in WordPress Plugin VI: Include Post By versions = 0.4.200706...

PT-2026-33013

Name of the Vulnerable Software and Affected Versions VI: Include Post By versions prior to 0.4.200706 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping on user supplied attributes. Authenticated attackers with contributor-level access and...

PT-2026-33025

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize text field on the 'userhash'...

PT-2026-33026

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the ...

PT-2026-33022

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circliful direct shortcode in all versions up to and including 1.2. This is due to insufficient input...

WordPress plugin WP Circliful 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

WordPress plugin Coachific Shortcode 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-33023

The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the jqmath shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The genera...

WordPress Germanized for WooCommerce plugin <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Chiao-Lin Yu Steven Meow - Trend Micro in WordPress Plugin Germanized for WooCommerce versions = 3.20.5...

CVE-2026-2582

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'accountholder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2026-2582 Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'accountholder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running...

EUVD-2026-22223

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'accountholder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running...