Accordion < 2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcpaccordion' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Namaste! LMS < 2.6.1.2 - Reflected Cross-Site Scripting

Description The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'courseid' parameter in versions up to, and including, 2.6.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2023-5706

The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5667

The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5234

The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5048

The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ContactFormBuilder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for...

Cross site scripting

The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

Cross site scripting

The Sponsors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sponsors' shortcode in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacke...

Cross site scripting

The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5715

CVE-2023-5715 (Website Optimization – Plerdy, WordPress) is a stored XSS in the Plerdy plugin for WordPress, affecting all versions up to 1.3.2 on multi-site or where unfiltered_html is disabled. Root cause: insufficient input sanitization and output escaping in the plugin’s tracking code setting...

CVE-2023-5708 WP Post Columns <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The WP Post Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'column' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2023-5163 Weather Atlas Widget <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Weather Atlas Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortcode-weather-atlas' shortcode in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2023-5469 Drop Shadow Boxes <= 1.7.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-5234

The CVE-2023-5234 entry is valid and documented in Wordfence/WPVulndb sources as a stored XSS vulnerability in the Related Products for WooCommerce plugin for WordPress. Affected component: the woo-related shortcode within the plugin, vulnerable due to insufficient input sanitization and output e...

CVE-2023-5338 Theme Blvd Shortcodes <= 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Theme Blvd Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5128 TCD Google Maps <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The TCD Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'map' shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5119

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a...

Code injection

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a...

CVE-2023-5119

CVE-2023-5119 affects the Forminator WordPress plugin prior to 1.27.0. The issue stems from improper sanitization of the redirect-url field in form submission settings, enabling high-privilege users (e.g., admins) to inject arbitrary web scripts even when unfiltered_html is disallowed (multisite ...

CVE-2023-48300 Embed Privacy missing escaping for show_all attribute in opt-out shortcode

The Embed Privacy plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via embedprivacyoptout shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attribute...