WordPress

Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.

Unauthenticated privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows remote attackers to create administrator accounts by submitting a crafted form payload. The flaw stems from the plugin trusting an attacker-supplied form definition passed via $_POST['_acf_form'] as an array, which bypasses the legitimate server-side form lookup and allows the role field's allowed values to be spoofed. No public exploit identified at time of analysis, but the vulnerability is reported by Wordfence and is straightforwardly weaponizable given the documented logic flaw.

Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.

Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.

Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.

Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.

Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.

Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.

Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.

Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.

Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Arbitrary file upload leading to remote code execution affects the GutenBee – Gutenberg Blocks WordPress plugin in all versions through 2.20.1, enabling authenticated users with Author role or higher to upload PHP files disguised with double extensions such as shell.json.php. The flaw stems from a permissive strpos() substring check in gutenbee_file_and_ext_json that allows attackers to bypass WordPress filetype validation and execute arbitrary PHP on the server. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.

Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.

Insecure Direct Object Reference in WPEverest's User Registration & Membership WordPress plugin (all versions through 5.1.5) allows deletion of arbitrary media attachments by exploiting missing ownership validation on user-controlled attachment IDs. Authenticated users at subscriber level or above can permanently destroy any media file uploaded by any other user, including administrators, by submitting a crafted attachment ID to the plugin's frontend handler. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the low barrier to exploitation - any registered site user qualifies - elevates practical risk on membership-driven WordPress sites.

Stored cross-site scripting in the SlimStat Analytics WordPress plugin (versions through 5.4.11) allows unauthenticated attackers to inject arbitrary JavaScript via the User-Agent request header, which is persisted unsanitized and later rendered inside the admin Browsers report tooltip. Exploitation requires the non-default 'show_complete_user_agent_tooltip' setting to be enabled by an administrator, after which any admin viewing the affected report executes the attacker's script. No public exploit identified at time of analysis and no EPSS or CISA KEV signal is provided in the supplied data.

Stored Cross-Site Scripting in the LiveSmart Video Chat WordPress plugin (all versions through 1.2) allows authenticated contributors to inject persistent malicious scripts via the 'livesmart_widget' shortcode attribute, which execute in any visitor's browser upon page load. The CVSS Scope:Changed rating confirms cross-user impact - a contributor's injected payload can hijack administrator sessions, exfiltrate cookies, or perform unauthorized actions on behalf of higher-privileged victims. No public exploit code and no CISA KEV confirmation exist at time of analysis, but the low privilege bar (contributor-level) meaningfully widens the realistic attacker pool on multi-author WordPress deployments.

Remote code execution in the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to and including 2.7.2) allows authenticated users with author-level privileges to execute arbitrary PHP code on the server by abusing the 'callback_raw' or 'callback' shortcode attributes processed by the filter_content function. The flaw stems from passing attacker-controlled input directly to call_user_func() guarded only by is_callable(), which still permits dangerous PHP built-ins like system, shell_exec, exec, passthru, and assert. No public exploit identified at time of analysis, but Wordfence has published a detailed advisory and the shortcode sink is trivially reachable for any author-level account.

Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.

Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV.

Privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows authenticated subscriber-level users to overwrite arbitrary user profile fields - including administrator passwords and email addresses - by supplying a chosen user_id parameter to a vulnerable Edit-User form. This authorization-bypass flaw (CWE-862) enables full administrator account takeover through direct password replacement or email-redirect password reset, and no public exploit identified at time of analysis. The vulnerability requires a specific misconfiguration where the form's Roles setting is left empty, which limits exploitable installs but is a common default state.

Insecure Direct Object Reference in the Timetable and Event Schedule by MotoPress WordPress plugin (all versions through 2.4.16) allows authenticated contributors to bypass object-level authorization and read non-public content belonging to other users. The vulnerability exists in the action_get_event_data AJAX action, which accepts a user-controlled timeslot key with no ownership or visibility validation, exposing full WP_Post data - including post_content, post_excerpt, post_status, and post_author - for draft, pending, and private mp-event posts. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Stored cross-site scripting in the Login No Captcha reCAPTCHA WordPress plugin (versions up to and including 1.8.0) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in an administrator's browser session. The flaw, reported by Wordfence, stems from unsanitized handling of the PHP_SELF superglobal during failed logins via non-standard endpoints such as xmlrpc.php, with no public exploit identified at time of analysis and no CISA KEV listing.

Authorization bypass in FOX - Currency Switcher Professional for WooCommerce (all versions through 1.4.6) allows authenticated attackers with Subscriber-level access to impersonate higher-privileged roles - such as wholesale customers or administrators - to obtain discounted or otherwise role-restricted product pricing. The flaw stems from the plugin's fixed user-role pricing engine blindly trusting a client-supplied HTTP request parameter over the server-side session object when resolving a user's role for price calculation. No public exploit is identified at time of analysis, and real-world impact is bounded by a non-default configuration requirement, keeping the CVSS base score at 4.3.

Server-Side Request Forgery in Independent Analytics (WordPress plugin, all versions through 2.14.9) enables unauthenticated remote attackers to inject arbitrary referrer domains into the site's analytics database and subsequently trigger server-side HTTP requests to any host - including internal network services and cloud metadata endpoints. The exploit chain combines a bypassable signature check on the public /wp-json/iawp/search REST endpoint (static salt embedded in publicly-accessible JavaScript) with a scheduled favicon fetcher that issues raw cURL requests with zero SSRF mitigations. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV, but CVSS PR:N/AC:L indicates exploitation requires no authentication and minimal complexity, particularly threatening for WordPress deployments on cloud infrastructure.

Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.

Open redirect in the Facebook for WooCommerce WordPress plugin (versions through 3.7.0) allows unauthenticated remote attackers to redirect victims to arbitrary external domains via crafted URLs. Classified under CWE-601, the vulnerability enables phishing campaigns that abuse the plugin's trusted WooCommerce domain as a delivery mechanism - victims clicking a link that appears to originate from a legitimate storefront are silently forwarded to attacker-controlled sites. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS data was not available in the provided intelligence.

Missing authorization controls in the WebToffee Product Import Export for WooCommerce WordPress plugin (versions through 2.5.6) allow low-privileged authenticated users to access protected import/export functionality beyond their intended permission level, resulting in unauthorized read access to product data. The flaw is classified under CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user is actually permitted to perform sensitive operations. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a limited-impact, network-accessible vulnerability constrained by the requirement for prior authentication.

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and including 1.0.9) allows remote unauthenticated attackers to inject SQL into backend database queries and infer sensitive data through boolean or time-based responses. The CVSS 3.1 vector (PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope (S:C) reflects that compromise of the WordPress database can affect the entire site beyond the plugin itself. There is no public exploit identified at time of analysis, and no KEV listing or EPSS score was provided.

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and including 1.0.8) lets remote attackers inject SQL commands via an unsanitized parameter to read arbitrary data from the WordPress/WooCommerce database. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with a changed scope, meaning the injection reaches the backend database beyond the plugin component itself. There is no public exploit identified at time of analysis and no EPSS score was provided, so probability of exploitation cannot be quantified from the available data.

Missing authorization in the AWP Classifieds WordPress plugin (versions through 4.4.5) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification and availability disruption of classified listing data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated privileges against any internet-facing WordPress site running the affected plugin. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS at 0.04% (11th percentile) indicates low observed exploitation probability, though the unauthenticated attack surface broadens theoretical exposure.

Insecure Direct Object Reference (IDOR) in the WP Wham Checkout Files Upload for WooCommerce WordPress plugin exposes uploaded checkout files to unauthenticated remote attackers who manipulate user-controlled object keys. All plugin versions through 2.2.5 are affected, with the CVSS vector confirming no authentication or user interaction is required. Despite the straightforward exploit path - flagged as automatable by the SSVC framework - real-world risk is tempered by a very low EPSS score of 0.04% (12th percentile), no public exploit code, and no active exploitation per CISA KEV.

Reflected Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions ≤ 3.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'url' parameter on the plugin's redirect page. Successful exploitation requires tricking a WordPress user into clicking a specially crafted link, after which the malicious script executes in the victim's browser within the scope of the WordPress site - enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit has been identified at time of analysis; EPSS stands at 0.06% (19th percentile) and CISA SSVC rates exploitation status as none, indicating minimal real-world exploitation activity at this time.

Stored Cross-Site Scripting in the MinhNhut Link Gateway WordPress plugin (all versions through 3.6.1) allows authenticated administrators to persist malicious JavaScript payloads via the plugin's settings fields - including Description and Title - which then execute in the browsers of any user who accesses the plugin's redirect pages. The attack is constrained to multi-site WordPress deployments or single-site installations where unfiltered_html has been explicitly disabled, and requires Administrator-level credentials, substantially narrowing real-world exposure. No public exploit code has been identified at time of analysis, and EPSS stands at a very low 0.03% (8th percentile), consistent with the narrow exploitation window.

Stored Cross-Site Scripting in the myLinksDump WordPress plugin (all versions ≤1.6) allows authenticated administrators to permanently inject arbitrary JavaScript into pages via the unsanitized 'link_title' parameter, executing in any victim's browser upon page access. Exploitation is constrained to WordPress multi-site environments or single-site installs with unfiltered_html disabled, and requires administrator-level credentials plus victim interaction. EPSS is 0.03% (9th percentile) and SSVC confirms no known exploitation, placing this firmly in a low-priority tier despite the stored XSS class.

Stored Cross-Site Scripting in the rexCrawler WordPress plugin (versions ≤ 1.0.15) allows authenticated administrators to inject persistent malicious scripts into settings pages, which then execute in the browsers of any user who accesses those pages. The vulnerability originates in admin_main.php at two distinct injection points (lines 108 and 239) and is constrained to multi-site WordPress environments or single-site installs where the unfiltered_html capability has been explicitly disabled. With an EPSS of 0.02% (7th percentile), no CISA KEV listing, and SSVC exploitation status of 'none', this represents a low-urgency finding despite its network-accessible attack vector. No public exploit code has been identified at time of analysis.

Arbitrary file read in the Xpro Elementor Addons - Pro WordPress plugin (versions ≤1.4.7) allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the web server process, including credential-bearing files such as wp-config.php. The vulnerability originates in the Draw SVG widget, which passes user-controlled input to a server-side file read operation without adequate path restriction (CWE-73). No public exploit code has been identified at time of analysis, and CISA has not added this to the KEV catalog; however, successful exploitation fully compromises the confidentiality of server-side data.

Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.

Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.

Stored cross-site scripting in the HBook hotel booking plugin for WordPress (all versions through 2.1.6) lets unauthenticated attackers persist arbitrary JavaScript through the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' booking parameters. The payload is stored server-side and fires in the privileged context of the HBook Customers admin page, so a no-privilege injection escalates into the administrator's browser session (reflected in the Scope:Changed rating that drives the 7.2 score). There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%, 17th percentile).

Stored Cross-Site Scripting in the Github Shortcode plugin for WordPress (all versions through 0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the 'repo' attribute of the 'github' shortcode. Any user who subsequently visits the injected page triggers execution of the attacker-controlled script in their browser context. No public exploit has been identified at time of analysis and EPSS places exploitation probability at 0.03% (9th percentile), though the low barrier to exploitation for any site permitting contributor accounts warrants attention.

Time-based blind SQL Injection in the EnvíaloSimple: Email Marketing y Newsletters WordPress plugin (all versions through 2.4.5) allows authenticated administrators to extract sensitive data from the underlying database. The vulnerability is in the 'orderby' parameter, which is insufficiently escaped and passed into existing SQL queries without adequate preparation, enabling an attacker with administrator-level WordPress credentials to append arbitrary SQL and enumerate database contents. EPSS is very low (0.03%, 8th percentile), no public exploit has been identified, and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation pressure at this time.

Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the `labb_admin_ajax` AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

Stored Cross-Site Scripting in the Livemesh SiteOrigin Widgets WordPress plugin (all versions through 3.9.2) allows any authenticated subscriber-level user to permanently inject malicious scripts into plugin settings via the unprotected `lsow_admin_ajax` AJAX endpoint. The injected payload executes against administrators when they access the plugin settings page, and against any site visitor on the frontend - enabling session hijacking, credential theft, or unauthorized admin actions. No public exploit has been identified at time of analysis and CISA has not added this to the KEV catalog, but the low privilege bar (subscriber) makes it an attractive target on sites with open registration.

Stored Cross-Site Scripting in the WPBakery Page Builder Addons by Livemesh WordPress plugin (all versions through 3.9.4) allows authenticated attackers with as little as Subscriber-level access to permanently inject malicious JavaScript into plugin settings via the unprotected lvca_admin_ajax AJAX endpoint. The injected payload executes both when administrators access the plugin settings page and when any frontend visitor loads affected pages, achieving Changed Scope impact beyond the attacker's own session. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE, though the low authentication bar makes it a realistic risk on WordPress sites with open user registration.

Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.

Unauthorized jQuery downgrade in the Enable jQuery Migrate Helper WordPress plugin (all versions ≤1.4.1) allows any authenticated Subscriber-level user to replace the site-wide jQuery 3.7.1 with the legacy 1.12.4-wp release, which carries known security vulnerabilities. The root cause is a missing authorization check in the `downgrade_jquery_version()` function, which validates a nonce but never verifies user capabilities (CWE-862). No public exploit exists and CISA has not added this to KEV; however, the indirect impact is significant because a successful downgrade introduces a vulnerable jQuery version that could serve as a stepping stone for further exploitation of other weaknesses.

Reflected Cross-Site Scripting in the Gutenverse plugin for WordPress (all versions through 3.4.6) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious search URL. The vulnerability arises from the plugin's search-result-title block outputting the raw search query string directly into page HTML without sanitization. Exploitation requires user interaction (victim must click a crafted link) and the gutenverse/search-result-title block must be present on the site's search results template. No public exploit code has been identified at time of analysis, and CISA KEV confirmation of active exploitation is absent.

Stored XSS in WPBakery Page Builder Addons by Livemesh (all versions through 3.9.4) allows authenticated WordPress contributors to inject persistent JavaScript into site pages via malformed shortcode attributes on the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcodes. The flaw arises from using `wp_json_encode()` instead of `esc_attr()` when embedding shortcode attributes into single-quoted HTML `data-settings` attributes, enabling an attacker to inject a literal single quote and escape the attribute boundary. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) reflects low current exploitation interest, and the practical attack surface is constrained to WordPress sites where untrusted users hold Contributor-level access.

Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.

Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.

Authentication bypass in the Login with NEAR WordPress plugin (all versions through 0.3.3) lets unauthenticated attackers log in as any existing user - including administrators - whose email matches the deterministic <account>@near.org pattern. The flaw stems from the unauthenticated ajaxLoginWithNear() handler issuing a valid WordPress auth cookie based only on a substring check for '.near', with no signature, challenge-response, or nonce verification. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.10%), but the technical impact is total per CISA SSVC.

Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.

Cross-Site Request Forgery in CDN Linker lite WordPress plugin (versions up to and including 1.3.1) enables unauthenticated remote attackers to hijack a site's CDN URL by tricking a logged-in administrator into triggering a forged request. The vulnerable function, ossdl_off_options(), lacks proper nonce validation, meaning an attacker who successfully engineers admin interaction can repoint all static asset references - JavaScript, CSS, images - to an attacker-controlled domain. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects low current exploitation probability.

Cross-Site Request Forgery in the Search Simple Fields WordPress plugin (versions ≤ 0.2) enables unauthenticated remote attackers to modify plugin configuration by tricking an authenticated site administrator into clicking a crafted link. The root cause is absent or incorrect nonce validation in the `search_simple_fields_options()` function within `functions_admin.php`, allowing forged HTTP requests to alter settings such as post types, custom fields, media fields, and the custom media function name. No active exploitation is confirmed (no CISA KEV listing, EPSS at 0.01%, SSVC exploitation status: none), making this a low-urgency but straightforward finding on affected WordPress installations.

Cross-Site Request Forgery in the auto making JSON-LD WordPress plugin (all versions through 4.5.3) enables unauthenticated remote attackers to overwrite the plugin's license key option and trigger unauthorized installation of pro components by inducing an authenticated administrator to visit a malicious page. The vulnerability originates from absent or incorrect nonce validation in the `amJL_certification` function (settings/certification.php), bypassing WordPress's built-in CSRF protection and cascading into downstream calls to `amJL_is_license_valid()` and `amJL_download_and_install_pro_features()`. No public exploit has been identified at time of analysis; EPSS is 0.01% (2nd percentile) and SSVC confirms no known exploitation.

Cross-Site Request Forgery in WP AutoBuzz (WordPress plugin, all versions ≤1.1.1) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious scripts by tricking an authenticated administrator into clicking a crafted link. The attack carries particular severity because the unsanitized value is written directly via WordPress's update_option at the plugin level, entirely bypassing the DISALLOW_UNFILTERED_HTML hardening constant that would otherwise block unfiltered HTML in post content. No public exploit code and no active exploitation have been identified at time of analysis; EPSS is 0.02% and SSVC classifies exploitation status as none.

Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3.

Stored Cross-Site Scripting in the Auto Thumbnail WordPress plugin (all versions up to and including 1.0) enables authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'width' and 'height' attributes of the 'thumbnails' shortcode. The injected payload executes in the browser of any subsequent visitor who loads the affected page, crossing trust boundaries from the WordPress server context into victims' sessions (CVSS S:C). No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog; EPSS of 0.03% (9th percentile) reflects low predicted exploitation probability, though the stored nature of the flaw amplifies impact relative to reflected XSS.

Stored Cross-Site Scripting in the Events In City WordPress plugin (versions ≤3.0) allows contributor-level authenticated users to inject persistent JavaScript payloads via unsanitized 'org-events' shortcode attributes handled by the org_event_scode() function. The CVSS scope is Changed (S:C), meaning injected scripts execute in victims' browsers outside the plugin's own context, enabling session hijacking, credential theft, or unauthorized actions against any user who views an affected page. No public exploit identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low current exploitation likelihood, though the contributor-level access requirement is a realistic attack surface on multi-author WordPress sites.

Stored Cross-Site Scripting in the Shortcode Buddy WordPress plugin (all versions ≤ 0.1.9.5) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into pages via unsanitized shortcode attributes, executing in any visitor's browser upon page load. The Changed scope (S:C) in the CVSS vector confirms the injected payload escapes the plugin's context and affects users browsing the site, including administrators whose sessions could be hijacked. No public exploit code has been identified at time of analysis, and EPSS sits at 0.03% (9th percentile), indicating low observed exploitation probability, though the contributor-level entry bar makes this a realistic risk on sites with multiple editors.

Stored Cross-Site Scripting in the iWR Tooltip WordPress plugin (versions up to and including 1.0) permits authenticated attackers holding contributor-level accounts or higher to plant persistent malicious scripts via the plugin's `iwrtooltip` shortcode. The root cause is direct string concatenation of the user-supplied `title` attribute into an HTML attribute inside the `iwr_tooltip()` handler at lines 37 and 41 of iwr-tooltip.php, with no call to `esc_attr()` or equivalent escaping. Any site visitor who subsequently loads a page containing the poisoned shortcode will execute the injected script in their browser, with scope-changed impact that can target session tokens, credentials, or site administrative functions. EPSS is 0.03% (9th percentile), and no public exploit or CISA KEV listing exists at time of analysis.

Stored Cross-Site Scripting in the BitForm WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers with contributor-level access or above to inject persistent malicious scripts via unsanitized 'width' and 'height' shortcode attributes in the Shortcode::shortcode() function, which are written directly into the style attribute of an iframe element without escaping. Any user who subsequently views a page containing the injected shortcode will trigger execution of the attacker's script in their browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS places current exploitation probability at 0.03% (9th percentile), indicating this is currently a low-activity finding despite its network-accessible attack vector.

Stored Cross-Site Scripting in the Listen Shortcode WordPress plugin (versions ≤ 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via unsanitized shortcode attributes. The vulnerability exists in the listenEmbedJS() function, which echoes user-supplied src, start, and end attributes directly into a single-quoted HTML attribute context without escaping, enabling script injection that executes in the browsers of any user who later visits the affected page. EPSS is low (0.03%, 9th percentile) and no public exploit or CISA KEV listing has been identified at time of analysis, suggesting limited current exploitation activity.

Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.

Stored Cross-Site Scripting in the Instant-Quote.co Quotation Page WordPress plugin (all versions ≤1.3.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. The changed-scope CVSS vector (S:C) reflects that injected scripts execute in victim browsers rather than the server, and the plugin's shortcode is exploitable through the WordPress post review workflow - a contributor can embed a malicious shortcode in a draft submitted for editor or administrator review, causing the payload to execute when a privileged user previews the post. No public exploit has been identified and EPSS is very low at 0.04% (12th percentile), indicating limited opportunistic exploitation risk, though the cross-privilege escalation path warrants attention on multi-author WordPress sites.

Stored Cross-Site Scripting in the Responsive Video Embedder WordPress plugin (versions ≤ 0.1) allows authenticated attackers with contributor-level access or above to persistently inject arbitrary JavaScript into WordPress pages via unsanitized shortcode attributes. The root cause is direct, unescaped concatenation of user-supplied 'id' and 'list' attributes into an HTML iframe src attribute inside the video_shortcode() function. Because the CVSS scope is Changed (S:C), injected scripts execute in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No active exploitation has been confirmed and EPSS is very low (0.03%, 9th percentile), but the contributor-level entry bar makes this relevant on multi-author WordPress sites.

Stored Cross-Site Scripting in the Easy Prism Syntax Highlighter WordPress plugin (versions ≤1.0.2) enables authenticated attackers with Contributor-level access to inject persistent JavaScript into WordPress pages via the 'code' or 'c' shortcode. The flaw resides in the shortcode() function, which concatenates the first positional shortcode attribute directly into the class attribute of generated <pre> and <code> HTML elements without invoking esc_attr() or any equivalent escaping - enabling HTML attribute breakout and arbitrary script injection. No public exploit has been identified and EPSS is very low (0.03%, 9th percentile), but the Contributor-level authentication threshold makes this accessible on any multi-author WordPress site without additional barrier.

Stored Cross-Site Scripting in the Content Slideshow WordPress plugin (all versions through 2.4.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes. The vulnerability resides in slideshow-widget-shortcode.php at multiple points (lines 14 and 143) where shortcode attribute values are passed without adequate sanitization or output escaping. The CVSS scope is Changed (S:C), meaning injected scripts execute in the victim's browser context and can affect resources beyond the plugin itself, such as stealing session tokens or performing actions as the visiting user. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS sits at a very low 0.03%.

Stored Cross-Site Scripting in the Animate Your Content WordPress plugin (versions ≤ 1.0.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages via the 'animation-set' shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit code has been identified at time of analysis, and EPSS (0.03%, 9th percentile) together with SSVC exploitation status of 'none' indicate this is currently a low-priority, low-activity vulnerability.

Stored Cross-Site Scripting in the Formidable Kinetic WordPress plugin (versions ≤1.1.01) allows authenticated attackers with contributor-level access to permanently inject malicious scripts into pages via the 'kinetic_link' shortcode. The FrmKinetic::link() function concatenates user-supplied shortcode attributes ('window', 'class', 'label') directly into anchor tag HTML attributes without sanitization or output escaping, meaning any visitor who loads an injected page triggers execution of the attacker's payload in their browser. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) reflects low automated exploitation probability, but the Changed scope (S:C) in the CVSS vector indicates the impact crosses the plugin's security boundary into the broader WordPress page context.

Stored Cross-Site Scripting in the Team Master WordPress plugin (all versions ≤ 1.1.2) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via shortcode attributes into WordPress pages, executing against any visitor who subsequently loads the affected page. The scope change (S:C in CVSS) reflects cross-session impact - a low-privileged contributor can compromise higher-privileged users including administrators. No public exploit identified at time of analysis, and EPSS of 0.03% (9th percentile) indicates low current exploitation probability.

Stored Cross-Site Scripting in the Mutual Funds Data WordPress plugin (versions ≤ 1.2.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts into any page using the affected shortcode. The unsanitized 'title' attribute in the mfd_shortcode() function is written directly into a HTML caption element without escaping, meaning injected payloads execute in the browsers of any user who subsequently views the affected page. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects a low current probability of widespread exploitation.

Stored Cross-Site Scripting in the Single Mailchimp WordPress plugin (all versions through 1.4) allows authenticated attackers with contributor-level access to inject persistent JavaScript into WordPress pages via unsanitized shortcode attributes. The six affected attributes - autocomplete, label, placeholder, btn_text, success_msg, and error_msg - are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php without sanitization or output escaping. No public exploit code exists and EPSS places exploitation probability at 0.03% (9th percentile), indicating low real-world exploitation pressure at this time.

Stored Cross-Site Scripting in the Post Category Gallery WordPress plugin (versions ≤1.0.0) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via unsanitized shortcode attributes. The injected payload executes in the browsers of any user who visits the affected page, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users such as administrators. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) indicates very low automated exploitation probability.

Stored Cross-Site Scripting in the jQuery googleslides WordPress plugin (all versions through 1.3) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious scripts via the 'googleslides' shortcode. The vulnerability is confirmed by Wordfence (ENISA EUVD-2026-32069) and traces to the `googleslides_handler()` function directly interpolating ten shortcode attribute values into HTML without the WordPress-standard `esc_attr()` sanitization. The CVSS Changed Scope (S:C) reflects that injected scripts execute in victims' browsers outside the plugin's own domain; EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate no public exploit or confirmed active exploitation at time of analysis.

Stored Cross-Site Scripting in the Dideo plugin for WordPress version 1.0 allows authenticated contributors to inject persistent malicious scripts into any page using the 'dideo' shortcode. The 'id' shortcode attribute is interpolated directly into an HTML iframe 'src' attribute without sanitization or output escaping in the dideo() handler, meaning injected payloads execute automatically in the browser of any user who visits the affected page. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects low current exploitation interest, but the stored nature and scope-changed CVSS vector (S:C) elevate concern for multi-author WordPress deployments.

Stored Cross-Site Scripting in the Tuxquote WordPress plugin (versions up to and including 1.3) enables authenticated attackers holding Contributor-level access or above to inject persistent malicious scripts into WordPress pages via unsanitized shortcode attributes. The `tuxquote_build_format()` function concatenates user-supplied `title`, `align`, and `width` attributes from the TUXQUOTE shortcode directly into rendered HTML without passing them through WordPress's built-in `esc_attr()` or `esc_html()` escaping functions, allowing the payload to persist and execute in any visitor's browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (9th percentile) reflects minimal real-world exploitation activity to date.

Stored Cross-Site Scripting in the Islamic Database WordPress plugin (versions ≤ 1.0) allows authenticated contributors to persistently inject arbitrary JavaScript into WordPress pages via the 'islamicDB-roqya' shortcode's 'width' and 'height' attributes. The flaw originates in the islamicDB_sc_quran_qari_roqya() function, which concatenates these shortcode attribute values directly into HTML iframe attribute values without sanitization or output escaping. No public exploit has been identified and EPSS sits at 0.03% (9th percentile), reflecting low current exploitation probability, though the contributor-level access requirement is a realistic barrier given how many WordPress sites grant that role to content editors.

Stored Cross-Site Scripting in the Responsive Check WordPress plugin (versions ≤ 0.0.3) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'url' and 'button' attributes of the [rspcheck] shortcode. The payload executes in the browser of any user who visits an affected page, with a CVSS scope-change designation (S:C) reflecting cross-user impact. No public exploit has been identified and the EPSS score of 0.03% (9th percentile) places real-world exploitation probability firmly at the low end, though sites with open contributor registration remain meaningfully exposed.

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'gplusnamelink' shortcode's 'id' and 'name' attributes. The root cause is the absence of WordPress output-escaping functions (esc_attr() or esc_html()) in the gplusnamelink_generate() function, permitting raw attribute values to be concatenated directly into rendered HTML. Scope is Changed (S:C) per CVSS, meaning the injected script executes in victims' browser sessions outside the plugin's own security context. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS score of 0.03% (9th percentile) reflects low observed exploitation probability.

Stored Cross-Site Scripting in the WP Iframe Geo Style for Amazon affiliates WordPress plugin (all versions ≤1.1) allows authenticated attackers holding contributor-level roles to persist malicious JavaScript in page content via the unsanitized 'adid' shortcode attribute. The injected script executes automatically in any visitor's browser upon page load, with changed scope (S:C) confirming the payload crosses the attacker's own security boundary to impact other users. No public exploit identified at time of analysis, and an EPSS score of 0.03% (9th percentile) reflects low current exploitation probability, though the contributor-level access requirement is achievable on many open-registration WordPress sites.

Privilege escalation in the Firebase Support & Chat Management WordPress plugin (all versions up to and including 3.1.1) lets any authenticated Subscriber-level user take over any other account, including Administrator. The plugin's acb_firebase_auth AJAX handler logs the request in as whatever WordPress account matches the attacker-supplied user_email parameter, never verifying the accompanying Firebase ID token. No public exploit was identified at time of analysis and the EPSS probability is very low (0.04%, 13th percentile), but the bug is trivially exploitable wherever the plugin is active and a low-privilege account can be obtained.

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.