6446 matches found
CVE-2026-4011
The CVE-2026-4011 entry describes a Stored Cross-Site Scripting flaw in the Power Charts Lite WordPress plugin (versions
CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute
The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...
CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters
The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...
CVE-2026-1607
The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
CVE-2026-4059 ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentorquickviewbutton shortcode's buttontext attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode...
CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
CVE-2026-6227 BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the blockname parameter of the /wp-json/backwpup/v1/getblock REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive strreplace sanitization of path traversal sequences. This makes it possible for...
CVE-2026-2305 AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the aFhfcheadcode, aFhfcbodycode, and aFhfcfootercode post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or...
EUVD-2024-33399
The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
EUVD-2024-46836
The Ultimate Post Kit Addons For Elementor – Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count Static widget in all versions up to, and...
EUVD-2024-47007
The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eaflresetsettings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and...
EUVD-2024-50273
The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
EUVD-2024-33448
The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg and removequeryarg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated...
CVE-2026-0811 Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vszcf7savesettingcallback' function. This makes it possible for unauthenticated attackers to...
WordPress plugin ProSolution WP Client 代码问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-0738 Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sucarousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'suslidelink' attachment meta field...
CVE-2026-3571
The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is affected by an authorization flaw in which the pie_main() function lacks a capability check across all versions up to 3.8.4.8. This allows unauthenticated attackers to modify the registration form status,...
CVE-2026-2480
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'maxwidth' attribute of the subox shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes...
CVE-2026-2389
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the revertdivstosummary function replacing " HTML entities with literal double-quote characters " in post content without...
CVE-2026-4335
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment posttitle in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...