CVE-2023-4035

The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-13153

CVE-2025-13153 — The Logo Slider WordPress plugin prior to 4.9.0 does not validate or escape certain slider options before echoing them in the dashboard, enabling Stored XSS for users with contributor+ privileges. Root cause: insufficient input validation/escaping in the plugin’s dashboard output...

CVE-2025-6200

The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0275

The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

CVE-2023-0399

The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Sit...

CVE-2025-21423 Improper Validation of Array Index in Display

Memory corruption occurs when handling client calls to EnableTestMode through an Escape call...

CVE-2024-11606

The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-6158

The CVE-2024-6158 issue affects two WordPress widgets: Category Posts Widget (plugins) up to version 4.9.17, and Term-and-Category-Based-Posts-Widget up to 4.9.13. Root cause: both fail to validate and escape certain Category Posts widget settings before echoing them in a page/post, enabling stor...

Spectra < 2.7.10 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CBX Map for Google Map & OpenStreetMap < 1.1.12 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Slimstat Analytics < 5.0.9 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

nuajik CDN <= 0.1.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WRC Pricing Tables < 2.3.9 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

a3 Portfolio < 3.1.1 - Author+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks...

Display post meta, term meta, comment meta, and user meta <= 0.4.1 - Contributor+ Stored Cross-Site Scripting

The plugin does not validate and escape post metadata before outputting it back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins...

CVE-2023-0526

The Post Shortcode WordPress plugin through 2.0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-16735 · WordPress · Complianz Premium Wordpress Plugin +1

Name of the Vulnerable Software and Affected Versions: Complianz WordPress plugin versions prior to 6.4.2 Complianz Premium WordPress plugin versions prior to 6.4.2 Description: The issue is related to the failure of the Complianz WordPress plugin and Complianz Premium WordPress plugin to validat...

menu shortcode <= 1.0 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit shortcode: redirect duration="1"...

CVE-2022-4679

The Wufoo Shortcode WordPress plugin before 1.52 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2022-4764

The Simple File Downloader WordPress plugin through 1.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attac...