264250 matches found
CVE-2026-8845 Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...
EUVD-2026-32079
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebaseauth function authenticating the request as the WordPress user whose email is supplied in the useremail POST parameter without...
CVE-2026-8787
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebaseauth function authenticating the request as the WordPress user whose email is supplied in the useremail POST parameter without...
CVE-2026-8845
The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...
CVE-2026-8873
The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...
CVE-2026-8787 Firebase Support & Chat Management <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebaseauth function authenticating the request as the WordPress user whose email is supplied in the useremail POST parameter without...
CVE-2026-8787
The CVE applies to the WordPress plugin Firebase Support & Chat Management (up to version 3.1.1 ). The root cause is in the firebase_auth() function, which authenticates using the target WordPress user’s email supplied in the user_email POST parameter without verifying ownership or issuing a vali...
CVE-2026-8846
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...
CVE-2026-8846
CVE-2026-8846 affects the WordPress Tuxquote plugin (versions ≤ 1.3). The vulnerability is a Stored Cross-Site Scripting (XSS) in the TUXQUOTE shortcode, caused by insufficient input sanitization and output escaping for attributes (title, align, width) in tuxquote_build_format(), which are concat...
EUVD-2026-32077
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...
CVE-2026-8891 BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...
CVE-2026-8846 Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...
CVE-2026-8891
The CVE-2026-8891 entry concerns the BitForm WordPress plugin. Affected component: BitForm shortcode handling in WordPress plugin versions up to and including 1.1.0. Root cause: insufficient input sanitization and output escaping on user-supplied shortcode attributes (width and height) in Shortco...
CVE-2026-8891
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...
EUVD-2026-32078
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...
CVE-2026-8891 BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...
CVE-2026-8846 Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...
CVE-2026-8872 Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the...
CVE-2026-8872
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the...
EUVD-2026-32075
The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...