PT-2025-7517 · WordPress · Show Me The Cookies

Name of the Vulnerable Software and Affected Versions: The Show Me The Cookies plugin for WordPress versions up to, and including, 1.0 Description: The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value...

WordPress Rife Elementor Extensions & Templates plugin <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Writing Effect Headline Shortcode vulnerability discovered by zer0gh0st in WordPress Plugin Rife Elementor Extensions & Templates versions = 1.2.5...

WordPress Frontend Content Forms for User Submissions (UGC) plugin <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buddyformsnav' Shortcode vulnerability discovered by Max Boll b0lli in WordPress Plugin BuddyForms versions = 2.8.15...

WordPress Custom Post Type Date Archives plugin <= 2.7.1 - Missing Authorization to Unauthenticated Arbitrary Shortcode Execution vulnerability

Missing Authorization to Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Krzysztof Zając in WordPress Plugin Custom Post Type Date Archives versions = 2.7.1...

WordPress Show Me The Cookies plugin <= 1.0 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Krzysztof Zając in WordPress Plugin Show Me The Cookies versions = 1.0...

CVE-2025-1489

The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2024-13455

The igumbi Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'igumbicalendar' shortcode in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-12452

The Ziggeo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ziggeoevent' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

CVE-2024-13648

The Maps for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MapOnePoint' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-1410

The Events Calendar Made Simple – Pie Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's piecal shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-13674

The Cosmic Blocks 40+ Content Editor Blocks Collection plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cwpsocialshare' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2025-1407

The AMO Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's amoteamskills shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-13672

The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mcg' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied...

PT-2025-7515 · WordPress · Wp-Appbox

Name of the Vulnerable Software and Affected Versions: WP-Appbox plugin for WordPress versions up to, and including, 4.5.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's appbox shortcode due to insufficient input sanitization and output escaping on user-supplied...

PT-2025-7377 · WordPress · The Mini Course Generator

Name of the Vulnerable Software and Affected Versions: The Mini Course Generator | Embed mini-courses and interactive content plugin for WordPress versions up to, and including, 1.0.5 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and outpu...

PT-2025-7347 · WordPress · Tcbd Tooltip

Name of the Vulnerable Software and Affected Versions: TCBD Tooltip plugin for WordPress versions up to, and including, 1.0 Description: The TCBD Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tcbdtooltip text shortcode due to insufficient input...

WordPress WP-Appbox plugin <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via appbox Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin WP-Appbox versions = 4.5.4...

WordPress Pie Calendar plugin <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via piecal Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Pie Calendar versions = 1.2.5...

WordPress Newpost Catch plugin <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via npc Shortcode vulnerability discovered by Krzysztof Zając in WordPress Plugin Newpost Catch versions = 1.3.19...

CVE-2024-13689

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...