CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.14)
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to and including 1.0.0. The function does not perform nonce verification, capability checks, or ownership checks before deleting data from the wp_cf7cdb_data table.
The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page, allowing unauthenticated attackers to bulk-overwrite image ALT-text metadata.
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 4.5.18 via the 'new_link' parameter. This allows authenticated attackers with contributor-level access or higher to make arbitrary HTTP requests from the application, potentially querying and modifying information from internal services.
The Site Kit by Google WordPress plugin before version 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users (such as Editors) to modify a site-wide setting that should only be modifiable by administrators.
The Post Duplicator WordPress plugin before version 3.0.15 does not safely handle custom meta-data during post duplication, allowing attacker-supplied serialized values to be stored without the WordPress meta API's double-serialization protection.
WordPress plugins such as Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce before specified versions contained malicious code. They were distributed through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage attack.
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. The issue arises from missing or incorrect nonce validation on the main admin panel and on subpages, allowing unauthenticated attackers to perform destructive operations.
The AI Share & Summarize WordPress plugin before version 2.0.4 does not sanitize and escape some shortcode attributes before outputting them on a page, allowing users with Contributor role and above to perform Stored Cross-Site Scripting attacks.
The Cincopa plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via cincopa shortcode in post comments in all versions up to and including 1.163 due to insufficient input sanitization and output escaping.
The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'email' shortcode in all versions up to and including 1.03 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
An out-of-bounds heap read and integer underflow in TCP urgent data handling in libslirp versions before v4.9.2 allows a privileged guest VM attacker to leak sensitive host-process heap memory.
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.
The GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on port 10001, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.
The GV-I/O Box 4E is a smart embedded device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, leading to potential buffer overflow.
The GV-I/O Box 4E is an embedded smart device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, potentially leading to unauthorized access or device failure.
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted network request can lead to a denial of service.
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.
GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on this device, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.

