CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The Print Invoice & Delivery Notes for WooCommerce plugin version 7.1.1 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability is due to missing proper authorization, enabling disclosure of confidential information without requiring login.
In the Travel Booking plugin version 2.2.5 and earlier, a vulnerability was found that allows a subscriber-level user to upload arbitrary files to the server. This flaw can be exploited to upload malicious software.
A vulnerability in the Quform plugin versions up to 2.23.0 allows a subscriber-level user to upload arbitrary files to the server. An attacker can exploit this flaw to upload a malicious file, potentially leading to full site compromise.
The Uncanny Automator Pro plugin version 7.3.0.6 and earlier is vulnerable to PHP Object Injection via a Subscriber role. An attacker can remotely execute arbitrary code on the server.
PHP Object Injection vulnerability in RealHomes plugin versions up to 4.5.3 allows an attacker with subscriber role to inject a malicious PHP object. This can lead to remote code execution or other unauthorized actions on the server.
The Payment Gateway Based Fees and Discounts for WooCommerce plugin version 3.0.0 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access sensitive data or perform unauthorized operations without authentication.
The Perfmatters plugin version 2.6.3 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without authentication.
Cross Site Scripting (XSS) vulnerability in ListingPro plugin versions up to 2.9.11, allowing subscriber-level users to inject malicious JavaScript code.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Automatic versions prior to 3.135.1.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Blog2Social version 8.9.2 and earlier. The attack can be carried out without authentication, increasing the risk of exploitation.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Customer Reviews for WooCommerce version 5.110.1 and earlier.
The Responsive Lightbox plugin version 2.7.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The vulnerability allows an unauthenticated attacker to execute XSS scripts in the Gutenverse Form plugin up to version 2.4.7.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Quick Interest Slider versions up to and including 3.1.6.
Privilege escalation vulnerability in Frisbii Pay plugin for WordPress versions up to 1.8.2 allows contributors to gain unauthorized administrative access.
Unauthenticated SQL injection vulnerability in WordPress 결제 심플페이 plugin versions up to 5.5.6. An unauthenticated attacker can execute arbitrary SQL queries.
BitFire Security plugin version 5.0.3 and earlier contains multiple unauthenticated vulnerabilities. An attacker can remotely exploit these flaws without requiring authentication.
An unauthenticated SQL Injection vulnerability exists in Library Management System versions 3.5.7 and earlier. An attacker can remotely execute arbitrary SQL queries, leading to unauthorized database access.
A vulnerability in the Dokan Pro plugin version 5.0.4 and earlier allows an unauthenticated attacker to escalate privileges. This means a person without a valid account can gain higher privileges in the system.
The vulnerability in Buddyboss Platform versions up to 3.0.4 allows subscribers to perform PHP object injection. An attacker can exploit this flaw to execute arbitrary code on the server.

