CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The Divi Form Builder plugin for WordPress up to version 5.1.8 is vulnerable to arbitrary file upload leading to remote code execution. The issue is due to insufficient file extension validation in the do_image_upload() function, where the acceptFileTypes POST parameter is directly interpolated into a regular expression. Attackers can upload files with .phtml, .phar, .php5, or .php7 extensions, bypassing .htaccess protection that only blocks .php files.
PraisonAI before version 0.1.7 fails to validate that the project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.
A privilege escalation flaw in luci-app-travelmate and the travelmate package allows a session with UCI write ACL to set arbitrary script and arguments, executed as root by the travelmate service. The UI restriction to /etc/travelmate/*.login is only frontend.
A stored Cross-Site Scripting (XSS) vulnerability has been found in TR7 Cyber Defense Inc. WAF-ASP due to improper input neutralization during web page generation. The issue affects versions from v1.0.324.900 before v1.4.0.117.
A DOM-Based XSS vulnerability was found in TR7 Cyber Defense Inc. Web Application Firewall due to improper input neutralization during page generation. It affects versions from 1.0.42.239 before 1.4.0.117.
The WPIDE – File Manager & Code Editor plugin version 3.5.6 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions in the context of the site administrator.
The WP EasyCart plugin for WordPress versions 5.9.0 and earlier contains a SQL injection vulnerability via the 'contributor' attribute. This allows an attacker to manipulate database queries.
The Surbma | Yoast SEO Breadcrumb Shortcode plugin version 1.2 and earlier contains a Contributor Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious JavaScript code into the page.
The Structured Content plugin version 1.7.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.
The Simple URLs plugin for WordPress version 151 and earlier contains a Stored Cross Site Scripting (XSS) vulnerability. An author can inject a malicious script that will be executed in the browser of an administrator or other user.
The SEOWP plugin version 3.12.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions without their knowledge.
The Sendcloud Shipping plugin for WordPress has a missing authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. This issue affects versions from n/a through 1.0.29.
The ProfileGrid plugin version 5.9.9.7 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The Permalink Manager for WooCommerce plugin version 1.0.8.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The pCloud WP Backup plugin version 2.0.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions in the WordPress admin panel.
The nicen-localize-image plugin version 1.4.9 and earlier contains a SQL injection vulnerability in the Contributor component. This allows an attacker to manipulate database queries.
The Mosaic Gallery – Advanced Gallery plugin version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.
The Livemesh Addons for WPBakery Page Builder plugin version 3.9.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor functionality. This allows an attacker to inject malicious JavaScript code into the page.
The Kit (formerly ConvertKit) plugin for WooCommerce versions 2.1.5 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability stems from a lack of proper access controls on data stored by the plugin.
SQL Injection vulnerability in the Contributor component of iNET Webkit 1.2.4 allows an attacker to inject malicious SQL code into database queries.

