CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The JetSmartFilters plugin versions up to 3.8.3 contain an SQL injection vulnerability that can be exploited by an unauthenticated attacker. The flaw allows executing arbitrary SQL queries on the database.
The ShortPixel Adaptive Images plugin versions up to 3.11.4 contain a vulnerability allowing an unauthenticated attacker to delete arbitrary files on the server. The flaw is due to missing proper authorization and input validation.
SQL Injection vulnerability in Tourfic plugin up to version 2.22.5 allows a subscriber to inject malicious SQL code into database queries.
The vulnerability in the MailChimp Block plugin versions up to 1.1.15 allows unauthenticated attackers to bypass access controls. This can lead to unauthorized access to functions or data.
Unauthenticated SQL injection vulnerability in Quotes llama plugin versions up to 3.1.5. An attacker without authentication can execute arbitrary SQL queries.
The Subscriptions for WooCommerce plugin version 1.9.5 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized operations on subscriptions without requiring authentication.
The Print Invoice & Delivery Notes for WooCommerce plugin version 7.1.1 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability is due to missing proper authorization, enabling disclosure of confidential information without requiring login.
In the Travel Booking plugin version 2.2.5 and earlier, a vulnerability was found that allows a subscriber-level user to upload arbitrary files to the server. This flaw can be exploited to upload malicious software.
A vulnerability in the Quform plugin versions up to 2.23.0 allows a subscriber-level user to upload arbitrary files to the server. An attacker can exploit this flaw to upload a malicious file, potentially leading to full site compromise.
The Uncanny Automator Pro plugin version 7.3.0.6 and earlier is vulnerable to PHP Object Injection via a Subscriber role. An attacker can remotely execute arbitrary code on the server.
PHP Object Injection vulnerability in RealHomes plugin versions up to 4.5.3 allows an attacker with subscriber role to inject a malicious PHP object. This can lead to remote code execution or other unauthorized actions on the server.
The Payment Gateway Based Fees and Discounts for WooCommerce plugin version 3.0.0 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access sensitive data or perform unauthorized operations without authentication.
The Perfmatters plugin version 2.6.3 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without authentication.
Cross Site Scripting (XSS) vulnerability in ListingPro plugin versions up to 2.9.11, allowing subscriber-level users to inject malicious JavaScript code.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Automatic versions prior to 3.135.1.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Blog2Social version 8.9.2 and earlier. The attack can be carried out without authentication, increasing the risk of exploitation.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Customer Reviews for WooCommerce version 5.110.1 and earlier.
The Responsive Lightbox plugin version 2.7.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The vulnerability allows an unauthenticated attacker to execute XSS scripts in the Gutenverse Form plugin up to version 2.4.7.
The vulnerability allows an unauthenticated attacker to perform XSS attacks in Quick Interest Slider versions up to and including 3.1.6.

