CVE-2025-24687 WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Lars Wallenborn Show/Hide Shortcode showhide-shortcode allows Stored XSS.This issue affects Show/Hide Shortcode: from n/a through = 1.0.0...

CVE-2025-24636 WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

CVE-2025-24636 WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Rick Laymance MachForm Shortcode machform-shortcode allows Stored XSS.This issue affects MachForm Shortcode: from n/a through = 1.4.1...

CVE-2025-24636

CVE-2025-24636 : WordPress MachForm Shortcode (Laymance Technologies LLC) has a CSRF to Stored XSS vulnerability affecting MachForm Shortcode versions up to 1.4.1. The vulnerability is rated with CVSSv3.1 base score 7.1 (HIGH). Public references indicate the issue exists in the plugin from n/a th...

WordPress Show/Hide Shortcode plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by SOPROBRO in WordPress Plugin Show/Hide Shortcode versions = 1.0.0...

WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO in WordPress Plugin MachForm Shortcode versions = 1.4.1...

CVE-2024-13542

The WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-13594

The Simple Downloads List plugin for WordPress is vulnerable to SQL Injection via the 'category' attribute of the 'neofixsdl' shortcode in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2024-13408

The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the pgcu shortcode. This makes it possible for authenticated attacker...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

CVE-2024-13583

The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2twsgwf' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-12494

The BMLT Meeting Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bmltmeetingmap' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-13680

The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CPEASYFORMWILLAPPEARHERE' shortcode in all versions up to, and including, 1.2.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

CVE-2024-13659

The Listamester plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listamester' shortcode in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2025-2161 · WordPress · Post Grid

Name of the Vulnerable Software and Affected Versions: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress versions up to, and including, 1.6.10 Description: The issue allows authenticated attackers, with Contributor-level access and...

PT-2025-2227 · WordPress · Simple Downloads List

Name of the Vulnerable Software and Affected Versions: Simple Downloads List plugin for WordPress versions up to, and including, 1.4.2 Description: The issue concerns a SQL injection vulnerability via the category attribute of the neofix sdl shortcode. This vulnerability is due to insufficient...

PT-2025-1867 · WordPress · Bmlt Meeting Map

Name of the Vulnerable Software and Affected Versions: BMLT Meeting Map plugin for WordPress versions up to, and including, 2.6.1 Description: The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's bmlt meeting map shortcode. This...

PT-2025-2211 · WordPress · Wp Google Street View

Name of the Vulnerable Software and Affected Versions: WP Google Street View with 360° virtual tour & Google maps + Local SEO plugin for WordPress version 1.1.3 and all versions prior to this. Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode due ...

PT-2025-5507 · Unknown · Lars Wallenborn Show/Hide Shortcode

Name of the Vulnerable Software and Affected Versions: Lars Wallenborn Show/Hide Shortcode versions 1.0.0 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for Stored Cross-site Scripting XSS. This means that an attacker can...