264402 matches found
CVE-2026-8898 Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes such as 'organizerid', 'width', 'height',...
CVE-2026-8866
The CVE-2026-8866 entry concerns the jQuery googleslides plugin for WordPress (versions up to 1.3). The vulnerability is a Stored Cross-Site Scripting flaw in the googleslides_handler() function, caused by insufficient input sanitization and output escaping of shortcode attributes (userid, albumi...
EUVD-2026-32069
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...
EUVD-2026-32068
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostatsmanage function. This makes it possible for unauthenticated attackers to update the plugin's...
EUVD-2026-32066
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8943
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostatsmanage function. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2026-8941
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8941
The CVE concerns the WordPress plugin CDN Linker lite (
CVE-2026-8943 GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostatsmanage function. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2026-8941 CDN Linker lite <= 1.3.1 - Cross-Site Request Forgery to Plugin Settings Update
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8943 GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostatsmanage function. This makes it possible for unauthenticated attackers to update the plugin's...
EUVD-2026-32067
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdloffoptions function. This makes it possible for unauthenticated attackers to update the plugin's settings ...
CVE-2026-8701
The CVE-2026-8701 entry describes a Stored XSS in the WordPress plugin GNTT Post Title Ticker (versions
CVE-2026-8701 GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8943
GoStats for WordPress plugin for WordPress is vulnerable to Cross‑Site Request Forgery in all versions up to 1.4 due to missing or incorrect nonce validation in gostats_manage(). This allows unauthenticated attackers to modify settings (gostats_siteid, gostats_server) via forged requests if a sit...
CVE-2026-8701
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8701 GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the title-ticker-slide, title-ticker-fade, and title-ticker-typing shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes notably border,...
CVE-2026-8897 Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...
EUVD-2026-32065
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...
EUVD-2026-32064
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...