CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57757
High

The pCloud WP Backup plugin version 2.0.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions in the WordPress admin panel.

CVE-2026-57756
High

The nicen-localize-image plugin version 1.4.9 and earlier contains a SQL injection vulnerability in the Contributor component. This allows an attacker to manipulate database queries.

CVE-2026-57755
Medium

The Mosaic Gallery – Advanced Gallery plugin version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.

CVE-2026-57754
Medium

The Livemesh Addons for WPBakery Page Builder plugin version 3.9.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor functionality. This allows an attacker to inject malicious JavaScript code into the page.

CVE-2026-57753
Medium

The Kit (formerly ConvertKit) plugin for WooCommerce versions 2.1.5 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability stems from a lack of proper access controls on data stored by the plugin.

CVE-2026-57752
High

SQL Injection vulnerability in the Contributor component of iNET Webkit 1.2.4 allows an attacker to inject malicious SQL code into database queries.

CVE-2026-57751
High

The Heateor Social Login plugin version 1.1.39 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.

CVE-2026-57750
Medium

The ez Form Calculator Premium plugin version 2.14.1.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to functions or data without required authentication.

CVE-2026-57749
High

The SportsPress Pro plugin version 2.7.29 and earlier contains a Contributor Local File Inclusion (LFI) vulnerability. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2026-57748
High

The Shopify plugin version 1.0.0 and earlier contains a Local File Inclusion (LFI) vulnerability via the Contributor function. This allows an attacker to read sensitive files on the server.

CVE-2026-57747
Medium

An unauthenticated Cross Site Request Forgery (CSRF) vulnerability exists in Booked version 3.0.0 and earlier. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.

CVE-2026-57746
High

The Booked plugin version 3.0.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A subscriber can gain unauthorized access to functions intended for higher roles.

CVE-2026-57731
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data that should be restricted.

CVE-2026-57730
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for subscribers. This allows unauthorized users with the subscriber role to access functions or data they should not have permissions for.

CVE-2026-57690
Medium

The Werkstatt plugin version 4.7.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.

CVE-2026-57689
Medium

The Werkstatt plugin in versions 4.7.2 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to gain unauthorized access to functions or data.

CVE-2026-57688
High

A vulnerability in POS Entegratör versions up to 3.7.103 allows unauthenticated attackers to bypass access controls. This means an attacker without valid credentials can gain unauthorized access to system functions or data.

CVE-2026-57687
High

The Custom Field Template plugin for WordPress versions 2.7.8 and earlier contains a Contributor SQL Injection vulnerability. An attacker with contributor privileges can inject malicious SQL queries into the database.

CVE-2026-57686
High

The WowAddons plugin version 1.6.14 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57685
Medium

The Martfury - WooCommerce Marketplace WordPress theme version 3.2.8 and earlier contains a broken access control vulnerability for subscribers. It allows users with the subscriber role to gain unauthorized access to functions or data that should be restricted.

PreviousPage 22 of 4487Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS