1 results (0.002 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

14 May 2025 — The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenev... • https://plugins.trac.wordpress.org/browser/eg-series/trunk/lib/eg-plugin.inc.php#L546 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •