CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The Gmail SMTP plugin version 1.2.3.19 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions in the context of a logged-in administrator.
Cross Site Scripting (XSS) vulnerability in Hester Core versions up to 1.1.8. Allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.
The vulnerability allows an unauthenticated attacker to perform a Cross-Site Request Forgery (CSRF) in the Child Theme Wizard plugin version 1.4 and earlier. The attack can lead to unauthorized changes in the plugin configuration without the administrator's knowledge.
The Affiliates Manager plugin version 2.9.49 and earlier suffers from a broken access control vulnerability for affiliates. This allows unauthorized users to perform actions they should not have permission to.
The WP Job Portal plugin version 2.5.2 and earlier contains a SQL injection vulnerability in the Contributor module. This allows an attacker to manipulate database queries.
An IDOR vulnerability in JS Help Desk versions up to 3.1.0 allows an unauthenticated attacker to directly access objects such as tickets or customer data by manipulating request parameters.
Cross Site Scripting (XSS) vulnerability in Ghost Kit plugin version 3.6.0 and earlier. The flaw allows an attacker to inject malicious JavaScript code into the page through the contributor functionality.
Cross Site Scripting (XSS) vulnerability in Magazine Blocks plugin versions up to 1.8.3 allows an attacker to inject malicious JavaScript code. The flaw exists in the contributor context, meaning it can be exploited by users with low privileges.
The Shoppable Images Lite plugin version 1.3 and earlier contains a vulnerability due to improper access control for subscribers. Users with the subscriber role can gain unauthorized access to features that should be restricted for them.
The Nelio Content plugin for WordPress versions 4.3.4 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data they should not have permissions for.
The Panorama Viewer – 360 Degree Image + Video Viewer plugin version 1.6.1 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.
Insecure Direct Object References (IDOR) vulnerability in Majestic Support versions up to 1.1.7 allows subscribers to access other users' resources by manipulating object identifiers.
The vulnerability in the Newsletters plugin up to version 4.13 allows unauthorized access to subscriber management functions. The lack of proper access control enables an attacker to manipulate subscriber data without required permissions.
The Restaurant Menu by MotoPress plugin version 2.4.10 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries into the database.
The WP Post Author plugin version 3.9.1 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker to manipulate database queries.
The Gallery plugin for WordPress versions 4.7.8 and earlier contains a SQL injection vulnerability in the Contributor function. This allows an attacker with contributor privileges to execute unauthorized database queries.
In Real Estate 7 versions up to 3.5.9, there is an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions in the application.
The MasterStudy LMS plugin versions up to 3.7.30 contain a vulnerability related to broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.
Cross Site Scripting (XSS) vulnerability in Fluent Booking versions up to 2.1.0 allows an attacker to inject malicious JavaScript code through improperly sanitized contributor input.
Unauthenticated Cross Site Request Forgery (CSRF) vulnerability in Abandoned Cart Lite for WooCommerce versions up to 6.8.0. An attacker can trick an administrator into performing unintended actions without their knowledge.

