cleantalk
Vulnerabilities and Security Researches

AH Shortcodes, CVE-2025-14109

CVE, Research URL

CVE-2025-14109

Home page URL

Security reports for AH Shortcodes

Application

AH Shortcodes

Published on
Jan 07, 2026
Research Description
The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.2.
Status
vulnerable
Previous vulnerability researches
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) , Aug 26, 2025
New vulnerability
Advanced Classifieds & Directory Pro (CVE-2025-68580) , Jan 10, 2026
Co-marquage service-public.fr (CVE-2025-62113) , Jan 10, 2026
404 Solution (CVE-2025-14477) , Jan 10, 2026
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. (CVE-2025-69024) , Jan 10, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2025-13754) , Jan 10, 2026