CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
There is a Cross Site Scripting (XSS) vulnerability in ProfilePress versions <= 4.16.13 related to subscribers.
Versions of Simple Cloudflare Turnstile up to 1.38.0 have a vulnerability in authentication that allows unauthorized access.
There is a vulnerability in WPPizza versions up to 3.19.9 that allows for the exposure of subscriber sensitive data.
Amelia versions up to 2.2 contain a broken access control vulnerability that may allow unauthorized users to access subscriber resources.
Versions of myCred up to 3.0.3 have a vulnerability in access control, allowing unauthorized access to subscriber resources.
Versions of Groundhogg below 4.4.1 have a broken access control issue for subscribers, potentially allowing unauthorized access to data.
In KiviCare versions <= 4.2.1, there is a vulnerability related to Insecure Direct Object References (IDOR) for subscribers.
There is a vulnerability in WP SMS versions up to 7.2.1 that exposes sensitive subscriber data.
WPAdverts versions <= 2.3.0 have an issue with unauthenticated access that can lead to broken access control.
Versions of rtMedia for WordPress, BuddyPress, and bbPress up to 4.7.9 have a vulnerability in access control that may allow unauthorized subscribers to access resources.
Versions of Tutor LMS up to 3.9.7 have an issue with unauthenticated access that can lead to broken access control.
There is a broken access control issue in Ultra Addons for WPForms versions <= 1.0.11 that may allow unauthorized users to access subscriber resources.
RepairBuddy versions up to 4.1132 have a broken access control issue that may allow subscribers unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability in Shipment Tracker for Woocommerce versions up to 1.5.3.2 affecting subscribers.
WpStream versions below 4.11.2 have a vulnerability allowing subscribers to upload arbitrary files.
Booking Activities versions up to 1.16.48.1 have a vulnerability in access control that allows unauthorized access.
Versions of the engine below 1.4.107 have a broken access control issue for subscribers, which may lead to unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability for subscribers in JupiterX Core versions <= 4.14.1.
In Download Monitor versions <= 5.1.9, there is a vulnerability that allows unauthorized users to download arbitrary files.
In Meta Box, a WordPress custom fields framework, there is a vulnerability allowing arbitrary file deletion by a contributor in versions up to 5.11.1.

