CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Versions of Funnel Builder by FunnelKit up to 3.15.0.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
There is a SQL Injection vulnerability in ELEX WordPress HelpDesk and Customer Ticketing System versions up to 3.3.6. An attacker can exploit this flaw to execute unauthorized queries against the database.
Amelia versions up to 2.3 contain a vulnerability that allows subscriber privilege escalation.
Versions of HollerBox up to 2.3.10.1 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
There is an unauthenticated broken access control vulnerability in WPC Product Bundles for WooCommerce versions <= 8.5.3.
The WP Time Slots Booking Form plugin versions up to 1.2.50 contains a SQL Injection vulnerability, allowing attackers to manipulate SQL queries.
Versions of Stop Spammers up to 2026.3 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
GamiPress versions up to 7.8.7 contain a SQL Injection vulnerability that can be exploited by subscribers.
Montonio for WooCommerce versions up to 10.1.2 have a vulnerability in access control that allows unauthorized access to resources.
Versions of EmbedPress up to 4.5.2 are vulnerable to unauthorized access to sensitive data.
Versions of MW WP Form <= 5.1.3 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
Versions of Simple Shopping Cart <= 5.2.9 are vulnerable to unauthenticated Insecure Direct Object References (IDOR). This allows attackers to access resources they should not have access to.
Versions of Quiz And Survey Master <= 11.1.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts, potentially leading to user data theft.
Versions of Post SMTP <= 3.6.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.
In WPForms versions <= 1.10.0.4, there is an issue with unauthenticated access to the contact form, leading to broken access control.
OliveTin in versions 3000.0.0 and prior allows access to predefined shell commands from a web interface. The use of a shared template engine instance without synchronization leads to race conditions, resulting in cross-user command contamination and execution errors.
Cursor is a code editor designed for programming with AI. In versions prior to 3.0.0, Cursor Desktop could execute workspace-defined hook commands from .claude/settings.local.json without dedicated user approval.
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.
Wasmtime, a runtime for WebAssembly, has a vulnerability in versions prior to 24.0.9, 36.0.10, and 44.0.2 that allows bypassing the access control mechanism using the wasip2 descriptor.open-at or wasip1 path_open interfaces. The issue arises from a missing assignment in the open mode handling, allowing files to be opened with the OpenFlags::TRUNCATE flag without the necessary write permissions.
WpEvently versions up to 5.3.3 contain an unauthenticated vulnerability that could be exploited by attackers.

