CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57623
Critical

The W3 Total Cache plugin versions up to 2.9.4 contain a critical vulnerability allowing unauthenticated remote arbitrary code execution. The flaw stems from insufficient input validation in the caching mechanism.

CVE-2026-57621
Critical

The Booktics plugin version 1.0.21 and earlier contains an unauthenticated PHP Object Injection vulnerability. An attacker can remotely inject a malicious PHP object without authentication.

CVE-2026-57426
High

The Modula - PRO plugin version 2.10.8 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57366
High

The WPAdverts plugin version 2.3.1 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57362
High

The ChatBot plugin version 8.3.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57361
High

The Survey Maker plugin for WordPress versions 5.2.2.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows a remote attacker to inject malicious script without requiring authentication.

CVE-2026-57360
High

The eCommerce Product Catalog plugin version 3.5.4 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57359
High

The ReviewX plugin for WordPress versions 2.3.10 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57358
High

The Customize My Account for WooCommerce plugin version 4.3.9 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject a malicious script that executes in the victim's browser.

CVE-2026-57357
High

The Search Atlas SEO plugin version 2.6.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57356
High

The MC Woocommerce Wishlist plugin version 1.9.19 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57355
Medium

The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains a broken access control vulnerability exploitable by subscribers. This allows users with the subscriber role to perform unauthorized actions.

CVE-2026-57354
Medium

The JetReviews plugin version 3.0.0.1 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. It allows injection of malicious scripts into the page by a user with the subscriber role.

CVE-2026-57353
Medium

The Link Whisper Premium plugin version 2.9.0 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.

CVE-2026-57352
Medium

The ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce plugin version 2.2.0 and earlier contains a vulnerability allowing an unauthenticated attacker to break the authentication mechanism. This flaw enables bypassing the login process and gaining unauthorized access to administrative functions.

CVE-2026-57351
High

The HandL UTM Grabber plugin version 2.9.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript without requiring authentication.

CVE-2026-57350
High

The WP Debugging plugin version 2.12.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57349
High

The WPeMatico RSS Feed Fetcher plugin versions up to 2.8.17 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.

CVE-2026-57348
High

The Paid Member Subscriptions plugin version 3.0.4 and earlier contains an unauthenticated Server Side Request Forgery (SSRF) vulnerability. An attacker can send crafted HTTP requests that are executed by the server, enabling access to internal network resources.

CVE-2026-57347
Medium

The Hotel Booking Lite plugin version 6.0.3 and earlier exposes sensitive subscriber data. This vulnerability allows unauthorized users to access confidential information stored in the system.

PreviousPage 29 of 4509Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS