CVE-2026-9644

The CVE pertains to the LiveSmart Video Chat WordPress plugin, affecting versions up to 1.2. The root cause is insufficient input sanitization and output escaping for attributes used by the livesmart_widget shortcode. This enables Stored Cross-Site Scripting where an attacker with contributor-lev...

PT-2026-44191

The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-13887

CVE-2025-13887 affects the WordPress plugin AI BotKit – AI Chatbot for WordPress. It is a Stored Cross-Site Scripting vulnerability via the query parameter 'id' in the ai_botkit_widget shortcode, exploitable by authenticated users with Contributor-level access and above. Affected versions: all un...

CVE-2025-11827

CVE-2025-11827 : The Oboxmedia Ads WordPress plugin is vulnerable to Stored Cross-Site Scripting via the oboxads-ad-widget shortcode, specifically through the before_widget and after_widget parameters in versions up to and including 1.9.8. The issue arises from insufficient input sanitization and...

CVE-2025-11827 Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'beforewidget' and 'afterwidget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it...

EUVD-2024-51677

Malicious code in bioql PyPI...

WordPress plugin Podcast Feed Player Widget and Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in...

CVE-2024-13572

The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

PT-2025-2221 · WordPress · Precious Metals Charts/Widgets

Name of the Vulnerable Software and Affected Versions: Precious Metals Charts and Widgets for WordPress plugin versions 1.2.8 and earlier Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode due to insufficient input sanitization and output...

PT-2024-17243 · WordPress · Newsmanapp

Name of the Vulnerable Software and Affected Versions: NewsmanApp plugin for WordPress versions up to, and including, 2.7.6 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'newsman subscribe widget' shortcode due to insufficient input sanitization and output...

CVE-2024-54255

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in aviplugins.com Login Widget With Shortcode login-sidebar-widget allows Phishing.This issue affects Login Widget With Shortcode: from n/a through = 6.1.2...

PT-2024-36135 · Unknown · Login Widget With Shortcode

Name of the Vulnerable Software and Affected Versions: Login Widget With Shortcode versions n/a through 6.1.2 Description: The issue is an Open Redirect vulnerability that allows phishing attacks. This vulnerability exists in the Login Widget With Shortcode and can be exploited to redirect users ...

WordPress Widget or Sidebar Shortcode plugin <= 0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by theviper17y in WordPress Plugin Widget or Sidebar Shortcode versions = 0.6.1...

WordPress Page Builder by SiteOrigin plugin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'siteoriginwidget' Shortcode vulnerability discovered by stealthcopter in WordPress Plugin Page Builder by SiteOrigin versions = 2.29.15...

PT-2024-30604 · Siteorigin · The Page Builder By Siteorigin

Name of the Vulnerable Software and Affected Versions: Page Builder by SiteOrigin plugin for WordPress versions up to, and including, 2.29.15 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'siteorigin widget' shortcode due to insufficient input sanitization and...

WordPress Advanced Social Feeds Widget & Shortcode Plugin <= 1.7 is vulnerable to Cross Site Scripting (XSS)

Software Advanced Social Feeds Widget & Shortcode Type Plugin Vulnerable versions = 1.7 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0951 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 185d76acedb2 Credits...

WordPress Plugin Advanced Social Feeds Widget & Shortcode Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

CVE-2022-4473

The Widget Shortcode WordPress plugin through 0.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4473

CVE-2022-4473 concerns the WordPress plugin Widget Shortcode (

CVE-2022-4473 Widget Shortcode <= 0.3.5 - Contributor+ Stored XSS

The Widget Shortcode WordPress plugin through 0.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...