CVE-2026-0738

The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sucarousel shortcode in all versions up to, and including, 7.4.8. This is due to insufficient input sanitization and output escaping in the 'suslidelink' attachment meta field...

CVE-2026-2480

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'maxwidth' attribute of the subox shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes...

CVE-2026-1889

The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Modern Heading Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.13...

CVE-2023-25040

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Vova Anokhin WordPress Shortcodes Plugin — Shortcodes Ultimate plugin = 5.12.6 versions...

CVE-2025-63071

The CVE-2025-63071 entry describes an information-disclosure vulnerability in the WordPress plugin Shortcodes and extra features for Phlox theme (auxin-elements). The issue is an insertion of sensitive information into data sent by the plugin, allowing retrieval of embedded sensitive data. Affect...

EUVD-2025-198591

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the sushortcodecsvtable function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make...

CVE-2025-11764 Shortcodes Bootstrap <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the notification shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated...

WordPress plugin Shortcodes Ultimate 跨站脚本漏洞

WordPress Shortcodes Ultimate plugin is a plugin for WordPress that provides a rich set of visual component features that allow users to insert a wide range of pre-defined shortcodes such as buttons, accordions, image rotations, etc. into post editors, text widgets, or template files, helping to...

CVE-2023-0911

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta except the userpass, such as the user email and activati...

CVE-2023-23800

Server-Side Request Forgery SSRF vulnerability in Vova Anokhin WP Shortcodes Plugin — Shortcodes Ultimate.This issue affects WP Shortcodes Plugin — Shortcodes Ultimate: from n/a through 5.12.6...

CVE-2025-3472 Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2022-24663

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

CVE-2023-23725 WordPress Shortcodes by Angie Makes plugin <= 3.46 - Broken Access Control vulnerability

Missing Authorization vulnerability in Chris Baldelomar Shortcodes wc-shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes: from n/a through = 3.46...

CVE-2023-23725 WordPress Shortcodes by Angie Makes plugin <= 3.46 - Broken Access Control vulnerability

Missing Authorization vulnerability in Chris Baldelomar Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes: from n/a through 3.46...

WordPress Shortcodes Blocks Creator Ultimate Plugin <= 2.1.3 is vulnerable to Cross Site Scripting (XSS)

Software Shortcodes Blocks Creator Ultimate Type Plugin Vulnerable versions = 2.1.3 Fixed in 2.2.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10340 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e3eb71af58b7 Credits Istv...

WordPress Shortcodes Ultimate Plugin <= 7.2.2 is vulnerable to Cross Site Scripting (XSS)

Software Shortcodes Ultimate Type Plugin Vulnerable versions = 7.2.2 Fixed in 7.3.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8500 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 7fd442dd2a35 Credits Webbernaut Required...

VulnCheck KEV: CVE-2022-24663

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

WordPress Shortcodes Ultimate Pro Plugin < 7.1.5 is vulnerable to Cross Site Scripting (XSS)

Software Shortcodes Ultimate Pro Type Plugin Vulnerable versions 7.1.5 Fixed in 7.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4217 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID b6182f916e0f Credits Dmitrii Ignatyev...

WordPress Shortcodes by United Themes Plugin < 5.0.5 is vulnerable to Cross Site Scripting (XSS)

Software Shortcodes by United Themes Type Plugin Vulnerable versions 5.0.5 Fixed in 5.0.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-37097 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 6a3726b5a722 Credits Rafie Muhammad...