CVE-2024-7606

The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode in all versions up to, and including, 3.2.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2024-38447 · WordPress · Front End Users

Name of the Vulnerable Software and Affected Versions: Front End Users plugin for WordPress versions up to, and including, 3.2.28 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode due to insufficient input sanitization and output escaping on...

WordPress NitroPack plugin <= 1.16.7 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin NitroPack versions = 1.16.7...

PT-2024-38484 · Devvn · The Image Hotspot

Name of the Vulnerable Software and Affected Versions: The Image Hotspot by DevVN plugin for WordPress versions 1.2.5 and earlier Description: The issue concerns PHP Object Injection via deserialization of untrusted input in the devvn ihotspot shortcode func function. This allows authenticated...

PT-2024-37912 · WordPress · Wp Last Modified Info

Name of the Vulnerable Software and Affected Versions: WP Last Modified Info plugin for WordPress versions up to, and including, 1.9.0 Description: The issue is related to Stored Cross-Site Scripting via the template attribute of the lmt-post-modified-info shortcode. This is due to insufficient...

CVE-2023-7049 Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cmfieldshow' shortcode due to missing validation on the 'jobid' user controlled key. This makes it possible for authenticated attackers...

WordPress Custom Field For WP Job Manager plugin <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode vulnerability

Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode vulnerability discovered by Francesco Carlucci in WordPress Plugin Custom Field For WP Job Manager versions = 1.2...

WordPress WP MultiTasking plugin <= 0.1.12 - Reflected XSS via Shortcode vulnerability

Reflected XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin WP MultiTasking versions = 0.1.12...

PT-2024-37694 · WordPress · Sheet To Table Live Sync For Google Sheet

Name of the Vulnerable Software and Affected Versions: The Sheet to Table Live Sync for Google Sheet plugin for WordPress versions up to, and including, 1.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's STWT Sheet Table shortcode due to insufficient input...

WordPress MDx theme <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via mdx_list_item Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mdxlistitem Shortcode vulnerability discovered by Carson Chan in WordPress Theme MDx versions = 2.0.3...

PT-2024-37768 · WordPress · Mdx Theme

Name of the Vulnerable Software and Affected Versions: MDx theme for WordPress versions up to, and including, 2.0.3 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'mdx list item' shortcode due to insufficient input sanitization and output escaping on user-suppli...

WordPress Cooked Plugin <= 1.8.0 - Authenticated (Subscriber+) Persistent Cross-Site Scripting via Shortcode vulnerability

Authenticated Subscriber+ Persistent Cross-Site Scripting via Shortcode vulnerability discovered by re-alter in WordPress Plugin Cooked versions = 1.8.0...

CVE-2024-41816 WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting XSS via the ‘cooked-timer’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticate...

WordPress Horizontal scrolling announcements plugin <= 2.4 - Authenticated (Contributor+) SQL Injection via Shortcode vulnerability

Authenticated Contributor+ SQL Injection via Shortcode vulnerability discovered by István Márton in WordPress Plugin Horizontal scrolling announcements versions = 2.4...

CVE-2024-2090

The Remote Content Shortcode plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5 via the remotecontent shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary...

CVE-2024-2090 Remote Content Shortcode <= 1.5 - Authenticated (Contributor+) Server-Side Request Forgery

The Remote Content Shortcode plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5 via the remotecontent shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary...

WordPress Remote Content Shortcode plugin <= 1.5 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Francesco Carlucci in WordPress Plugin Remote Content Shortcode versions = 1.5...

WordPress plugin Remote Content Shortcode 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation, a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A security vulnerability exists in WordPress plugin Remote Content...

PT-2024-18813 · WordPress · Remote Content Shortcode

Name of the Vulnerable Software and Affected Versions: Remote Content Shortcode plugin for WordPress versions up to, and including, 1.5 Description: The issue allows authenticated attackers with contributor-level access and above to make web requests to arbitrary locations originating from the we...

WordPress Download Manager plugin <= 3.2.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Jack Taylor in WordPress Plugin Download Manager versions = 3.2.97...