CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-57657
Medium

The Gmail SMTP plugin version 1.2.3.19 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions in the context of a logged-in administrator.

CVE-2026-57656
Medium

Cross Site Scripting (XSS) vulnerability in Hester Core versions up to 1.1.8. Allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.

CVE-2026-57655
High

The vulnerability allows an unauthenticated attacker to perform a Cross-Site Request Forgery (CSRF) in the Child Theme Wizard plugin version 1.4 and earlier. The attack can lead to unauthorized changes in the plugin configuration without the administrator's knowledge.

CVE-2026-57654
Medium

The Affiliates Manager plugin version 2.9.49 and earlier suffers from a broken access control vulnerability for affiliates. This allows unauthorized users to perform actions they should not have permission to.

CVE-2026-57653
High

The WP Job Portal plugin version 2.5.2 and earlier contains a SQL injection vulnerability in the Contributor module. This allows an attacker to manipulate database queries.

CVE-2026-57652
Medium

An IDOR vulnerability in JS Help Desk versions up to 3.1.0 allows an unauthenticated attacker to directly access objects such as tickets or customer data by manipulating request parameters.

CVE-2026-57651
Medium

Cross Site Scripting (XSS) vulnerability in Ghost Kit plugin version 3.6.0 and earlier. The flaw allows an attacker to inject malicious JavaScript code into the page through the contributor functionality.

CVE-2026-57650
Medium

Cross Site Scripting (XSS) vulnerability in Magazine Blocks plugin versions up to 1.8.3 allows an attacker to inject malicious JavaScript code. The flaw exists in the contributor context, meaning it can be exploited by users with low privileges.

CVE-2026-57649
Medium

The Shoppable Images Lite plugin version 1.3 and earlier contains a vulnerability due to improper access control for subscribers. Users with the subscriber role can gain unauthorized access to features that should be restricted for them.

CVE-2026-57648
Medium

The Nelio Content plugin for WordPress versions 4.3.4 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data they should not have permissions for.

CVE-2026-57647
High

The Panorama Viewer – 360 Degree Image + Video Viewer plugin version 1.6.1 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2026-57646
Medium

Insecure Direct Object References (IDOR) vulnerability in Majestic Support versions up to 1.1.7 allows subscribers to access other users' resources by manipulating object identifiers.

CVE-2026-57645
High

The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.

CVE-2026-57644
High

The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.

CVE-2026-57643
High

The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.

CVE-2026-57642
High

The Gallery plugin for WordPress versions 4.7.8 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker with contributor privileges to execute unauthorized database queries.

CVE-2026-57641
Medium

In Real Estate 7 versions up to 3.5.9, there is an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions in the application.

CVE-2026-57640
Medium

The MasterStudy LMS plugin versions up to 3.7.30 contain a vulnerability related to broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

CVE-2026-57638
Medium

Cross Site Scripting (XSS) vulnerability in Fluent Booking versions up to 2.1.0 allows an attacker to inject malicious JavaScript code through improperly sanitized contributor input.

CVE-2026-57637
Medium

Unauthenticated Cross Site Request Forgery (CSRF) vulnerability in Abandoned Cart Lite for WooCommerce versions up to 6.8.0. An attacker can trick an administrator into performing unintended actions without their knowledge.

PreviousPage 164 of 4564Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS