CVE-2025-11722

The CVE CVE-2025-11722 affects the WordPress plugin “Woocommerce Category and Products Accordion Panel” (accordion-panel-for-category-and-products). The vulnerability is Local File Inclusion via the categoryaccordionpanel shortcode in all versions up to 1.0, exploitable by authenticated attackers...

CVE-2025-10132 Dhivehi Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2025-34554

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-11722 Category and Products Accordion Panel <= 1.0 - Authenticated (Contributor+) Local File Inclusion

The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-10132 Dhivehi Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-10132

The CVE-2025-10132 issue affects the Dhivehi Text WordPress plugin (versions

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::getgallerypageimgs function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of...

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::getgallerypageimgs function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of...

CVE-2025-10575

CVE-2025-10575 : WordPress plugin WP jQuery Pager contains an SQL Injection via the ids shortcode attribute, handled by WPJqueryPaged::get_gallery_page_imgs(). Affected in all versions up to and including 1.4.0 due to insufficient escaping and lack of prepared statements. Exploitation requires au...

EUVD-2025-34565

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2025-10730

The CVE-2025-10730 entry concerns the WordPress plugin Wp tabber widget. Public details confirm an SQL Injection flaw in all versions up to 4.0 via the wp-tabber-widget shortcode, enabling authenticated attackers with Contributor-level access and above to append SQL statements to existing queries...

CVE-2025-10730 Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2025-10139

CVE-2025-10139 concerns the WordPress plugin WP BookWidgets. According to Wordfence, it is vulnerable to a stored cross-site scripting (XSS) condition via the plugin’s bw_link shortcode in versions up to and including 0.9, caused by insufficient input sanitization and output escaping of user-supp...

EUVD-2025-34533

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...

CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...

CVE-2025-11161

CVE-2025-11161 affects the WPBakery Page Builder plugin for WordPress (versions up to 8.6.1). The vulnerability is a Stored Cross-Site Scripting (XSS) in the vc_custom_heading shortcode due to insufficient restriction of allowed HTML tags and improper sanitization of font_container attributes. Th...

CVE-2025-8561

The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...