Filtered by vendor Shapedplugin
Subscriptions
Total
19 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12584 | 3 Shapedplugin, Woocommerce, Wordpress | 3 Quick View, Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to. | ||||
| CVE-2025-58228 | 3 Shapedplugin, Woocommerce, Wordpress | 3 Quick View, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC Quick View for WooCommerce woo-quickview allows Stored XSS.This issue affects Quick View for WooCommerce: from n/a through <= 2.2.16. | ||||
| CVE-2024-3020 | 1 Shapedplugin | 3 Logo Carousel, Post Grid\, Post Carousel\, \& List Category Posts, Product Slider For Woocommerce | 2026-04-15 | 7.2 High |
| The plugin is vulnerable to PHP Object Injection in versions up to and including, 2.6.3 via deserialization of untrusted input in the import function via the 'shortcode' parameter. This allows authenticated attackers, with administrator-level access to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2026-3017 | 2 Shapedplugin, Wordpress | 2 Post Grid\, Post Carousel\, \& List Category Posts, Wordpress | 2026-04-14 | 7.2 High |
| The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-48134 | 1 Shapedplugin | 1 Wp Tabs | 2026-04-01 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12. | ||||
| CVE-2024-3996 | 1 Shapedplugin | 1 Smart Post Show | 2025-11-13 | 3.5 Low |
| The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-52124 | 1 Shapedplugin | 1 Wp Tabs | 2025-06-17 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC WP Tabs – Responsive Tabs Plugin for WordPress allows Stored XSS.This issue affects WP Tabs – Responsive Tabs Plugin for WordPress: from n/a through 2.2.0. | ||||
| CVE-2024-8187 | 1 Shapedplugin | 1 Smart Post Show | 2025-05-27 | 4.8 Medium |
| The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-11503 | 1 Shapedplugin | 1 Wp Tabs | 2025-04-29 | 6.1 Medium |
| The WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-0097 | 1 Shapedplugin | 1 Smart Post Show | 2025-04-21 | 5.4 Medium |
| The Post Grid, Post Carousel, & List Category Posts WordPress plugin before 2.4.19 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-4648 | 1 Shapedplugin | 1 Real Testimonials | 2025-04-07 | 5.4 Medium |
| The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | ||||
| CVE-2022-4629 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2025-04-02 | 5.4 Medium |
| The Product Slider for WooCommerce WordPress plugin before 2.6.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | ||||
| CVE-2023-0071 | 1 Shapedplugin | 1 Wp Tabs | 2025-03-27 | 5.4 Medium |
| The WP Tabs WordPress plugin before 2.1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0360 | 1 Shapedplugin | 1 Location Weather | 2025-03-20 | 5.4 Medium |
| The Location Weather WordPress plugin before 1.3.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0537 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2025-01-29 | 5.4 Medium |
| The Product Slider For WooCommerce Lite WordPress plugin through 1.1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2023-25065 | 1 Shapedplugin | 1 Wp Tabs | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions. | ||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | 4.3 Medium |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | ||||
| CVE-2021-24739 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 8.1 High |
| The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature | ||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 5.4 Medium |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
Page 1 of 1.