5 matches found
CVE-2025-11809
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...
CVE-2025-11809
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...
CVE-2025-11809 WP-Force Images Download <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...
EUVD-2025-35346
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...
CVE-2025-11809
CVE-2025-11809 refers to the WP-Force Images Download plugin for WordPress (versions up to 1.8). The issue is a Stored XSS via the wpfid shortcode caused by insufficient input sanitization/output escaping on the class attribute. Exploitation requires attacker with contributor+ privileges; the pay...