Lucene search
+L

111 matches found

EUVD
EUVD
added 2026/03/21 6:30 a.m.6 views

EUVD-2026-14157

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the ttpart and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS6AI score0.00248EPSS
Exploits0References10
NVD
NVD
added 2026/03/21 4:17 a.m.5 views

CVE-2026-3997

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the ttpart and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS0.00248EPSS
Exploits0References9
NVD
NVD
added 2026/03/21 4:17 a.m.6 views

CVE-2026-3554

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

6.4CVSS0.00204EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/21 3:27 a.m.3 views

CVE-2026-3997 Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the ttpart and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS6AI score0.00248EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.3 views

CVE-2026-3997

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the ttpart and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS6AI score0.00248EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/03/21 3:27 a.m.29 views

CVE-2026-3997 Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the ttpart and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS0.00248EPSS
Exploits0References9
CVE
CVE
added 2026/03/21 3:27 a.m.12 views

CVE-2026-3997

The CVE-2026-3997 entry describes a Stored Cross-Site Scripting vulnerability in the WordPress Text Toggle plugin (versions up to 1.1). The flaw is in avp_texttoggle_part_shortcode(): the ‘title’ shortcode attribute is taken from user input and concatenated into HTML output without escaping, both...

6.4CVSS6AI score0.00248EPSS
Exploits0References9
CVE
CVE
added 2026/03/21 3:27 a.m.8 views

CVE-2026-3554

The vulnerability affects the Sherk Custom Post Type Displays WordPress plugin (up to version 1.2.1). In sherkcptdisplays_func(), the title attribute of the sherkcptdisplays shortcode is read via shortcode_atts() and directly concatenated into an HTML without escaping, enabling Stored XSS. Explo...

6.4CVSS6AI score0.00204EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.3 views

CVE-2026-3554

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

6.4CVSS6AI score0.00204EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/03/21 3:27 a.m.3 views

CVE-2026-3554 Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

6.4CVSS6AI score0.00204EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/21 3:27 a.m.30 views

CVE-2026-3554 Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the...

6.4CVSS0.00204EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.10 views

PT-2026-26859

Name of the Vulnerable Software and Affected Versions Sherk Custom Post Type Displays plugin for WordPress versions up to and including 1.2.1 Description The Sherk Custom Post Type Displays plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'title' shortcode attribute...

6.4CVSS6AI score0.00204EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.5 views

PT-2026-26867

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the tt part and tt shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes...

6.4CVSS6AI score0.00248EPSS
Exploits0References10
EUVD
EUVD
added 2026/02/26 3:31 a.m.9 views

EUVD-2026-8806

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbpricingitem shortcode's title and value attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the plugin...

6.4CVSS5.8AI score0.00191EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/26 1:24 a.m.3 views

CVE-2026-2029 Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbpricingitem shortcode's title and value attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the plugin...

6.4CVSS6.1AI score0.00191EPSS
Exploits0References3
CVE
CVE
added 2026/02/14 4:35 a.m.20 views

CVE-2026-1904

CVE-2026-1904 concerns the WordPress plugin Simple Wp colorfull Accordion (vulnerable through versions up to 1.0). The issue is a Stored Cross-Site Scripting (XSS) via the shortcodes’ title attribute in the accordion shortcode. Root cause: insufficient input sanitization and output escaping. Impa...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/14 4:35 a.m.4 views

CVE-2026-1904 Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute

The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/14 4:35 a.m.33 views

CVE-2026-1904 Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute

The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00181EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/02/13 10:13 p.m.8 views

WordPress Simple Wp colorfull Accordion plugin <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'title' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Simple Wp colorfull Accordion versions = 1.0...

6.4CVSS5.4AI score0.00181EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/11 8:26 a.m.5 views

CVE-2026-1827 IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Flask Micro code-editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's codeflask shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.00227EPSS
Exploits0References3
Rows per page
Query Builder