What the vulnerability does
01Description
The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
CVSS base score
—
Key dates
02Disclosure timeline
November 14, 2022
CVE published
April 30, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2021-24991 WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting
CVE-2025-6244 Essential Addons for Elementor – Popular Elementor Templates and Widgets <= 6.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets
CVE-2023-50830 WordPress Seos Contact Form Plugin <= 1.8.0 is vulnerable to Cross Site Scripting (XSS)
CVE-2021-36911 WordPress Comment Engine Pro plugin <= 1.0 - Stored Cross-Site Scripting (XSS) vulnerability
CVE-2025-54266 Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
