CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Insecure Direct Object References (IDOR) vulnerability in Majestic Support versions up to 1.1.7 allows subscribers to access other users' resources by manipulating object identifiers.
The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.
The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.
The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.
The Gallery plugin for WordPress versions 4.7.8 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker with contributor privileges to execute unauthorized database queries.
In Real Estate 7 versions up to 3.5.9, there is an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions in the application.
The MasterStudy LMS plugin versions up to 3.7.30 contain a vulnerability related to broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.
Cross Site Scripting (XSS) vulnerability in Fluent Booking versions up to 2.1.0 allows an attacker to inject malicious JavaScript code through improperly sanitized contributor input.
Unauthenticated Cross Site Request Forgery (CSRF) vulnerability in Abandoned Cart Lite for WooCommerce versions up to 6.8.0. An attacker can trick an administrator into performing unintended actions without their knowledge.
The wpForo Forum plugin version 3.0.9 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries, potentially leading to unauthorized database access.
The FunnelKit Payment Gateway for Stripe WooCommerce plugin version 1.14.0.3 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of a logged-in WooCommerce store administrator.
The PPWP plugin version 1.9.19 and earlier contains an Insecure Direct Object References (IDOR) vulnerability in the contributor functionality. This allows unauthorized access to private data.
The WCBoost – Products Compare plugin in versions 1.1.0 and below allows unauthenticated users to access sensitive data. This vulnerability stems from a lack of proper security on API endpoints or pages that display confidential information.
The Email Marketing for WooCommerce by Omnisend plugin in versions 1.19.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to administrative functions.
SQL Injection vulnerability in Popup box versions up to 6.0.1 allows an administrator to inject malicious SQL code. An attacker with admin privileges can manipulate database queries.
The Blocksy Companion Pro plugin version 2.1.46 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access resources that should be protected without authentication.
The StatCounter plugin version 2.1.1 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.
SQL Injection vulnerability in WP All Import plugin versions up to 4.0.1 allows an administrator to inject malicious SQL code into the database.
Server Side Request Forgery (SSRF) vulnerability in Kirki plugin versions up to 6.0.11 allows a subscriber to send HTTP requests from the server to internal network resources.
The WPCafe plugin in version 3.0.14 and earlier contains a vulnerability of broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

