CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-57646
Medium

Insecure Direct Object References (IDOR) vulnerability in Majestic Support versions up to 1.1.7 allows subscribers to access other users' resources by manipulating object identifiers.

CVE-2026-57645
High

The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.

CVE-2026-57644
High

The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.

CVE-2026-57643
High

The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.

CVE-2026-57642
High

The Gallery plugin for WordPress versions 4.7.8 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker with contributor privileges to execute unauthorized database queries.

CVE-2026-57641
Medium

In Real Estate 7 versions up to 3.5.9, there is an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions in the application.

CVE-2026-57640
Medium

The MasterStudy LMS plugin versions up to 3.7.30 contain a vulnerability related to broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

CVE-2026-57638
Medium

Cross Site Scripting (XSS) vulnerability in Fluent Booking versions up to 2.1.0 allows an attacker to inject malicious JavaScript code through improperly sanitized contributor input.

CVE-2026-57637
Medium

Unauthenticated Cross Site Request Forgery (CSRF) vulnerability in Abandoned Cart Lite for WooCommerce versions up to 6.8.0. An attacker can trick an administrator into performing unintended actions without their knowledge.

CVE-2026-57636
High

The wpForo Forum plugin version 3.0.9 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries, potentially leading to unauthorized database access.

CVE-2026-57635
Medium

The FunnelKit Payment Gateway for Stripe WooCommerce plugin version 1.14.0.3 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of a logged-in WooCommerce store administrator.

CVE-2026-57634
Medium

The PPWP plugin version 1.9.19 and earlier contains an Insecure Direct Object References (IDOR) vulnerability in the contributor functionality. This allows unauthorized access to private data.

CVE-2026-57633
Medium

The WCBoost – Products Compare plugin in versions 1.1.0 and below allows unauthenticated users to access sensitive data. This vulnerability stems from a lack of proper security on API endpoints or pages that display confidential information.

CVE-2026-57632
Medium

The Email Marketing for WooCommerce by Omnisend plugin in versions 1.19.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to administrative functions.

CVE-2026-57631
High

SQL Injection vulnerability in Popup box versions up to 6.0.1 allows an administrator to inject malicious SQL code. An attacker with admin privileges can manipulate database queries.

CVE-2026-57630
Medium

The Blocksy Companion Pro plugin version 2.1.46 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access resources that should be protected without authentication.

CVE-2026-57629
Medium

The StatCounter plugin version 2.1.1 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.

CVE-2026-57628
High

SQL Injection vulnerability in WP All Import plugin versions up to 4.0.1 allows an administrator to inject malicious SQL code into the database.

CVE-2026-57627
Medium

Server Side Request Forgery (SSRF) vulnerability in Kirki plugin versions up to 6.0.11 allows a subscriber to send HTTP requests from the server to internal network resources.

CVE-2026-57622
Medium

The WPCafe plugin in version 3.0.14 and earlier contains a vulnerability of broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

PreviousPage 153 of 4551Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS