CVE-2026-39625 WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through = 3.0.3...

CVE-2026-39612 WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through = 4.2.9...

CVE-2026-39612 WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through = 4.2.9...

CVE-2026-39612

CVE-2026-39612 affects the WordPress theme KuteShop (KuteShop theme) ≤ 4.2.9. Root cause: missing authorization / incorrectly configured access control that enables unauthorized actions. Impact: arbitrary shortcode execution within the affected site. Exploitation details are not provided in the c...

CVE-2026-1396

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-1396 Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-1396

The CVE-2026-1396 entry affects the WordPress plugin Magic Conversation For Gravity Forms. It reports a Stored Cross-Site Scripting vulnerability in the magic-conversation shortcode, caused by insufficient input sanitization and output escaping on user-supplied attributes. Affected versions are a...

WordPress WP Blockade plugin <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability discovered by theviper17y in WordPress Plugin WP Blockade versions = 0.9.14...

CVE-2026-5506

The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wave shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2026-5508

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-4871

The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the scmmemberdata shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-3618

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

CVE-2026-5506 Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wave shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2026-5506 Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wave shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2026-5506

The CVE-2026-5506 entry concerns the WordPress Wavr plugin (versions up to 0.2.6). The vulnerability is a Stored Cross-Site Scripting flaw via the plugin’s wave shortcode attributes stemming from insufficient input sanitization and output escaping. The impact allows authenticated attackers with c...

CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

CVE-2026-3618

The CVE concerns the WordPress plugin Columns by BestWebSoft (

CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...