CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The W3 Total Cache plugin versions up to 2.9.4 contain a critical vulnerability allowing unauthenticated remote arbitrary code execution. The flaw stems from insufficient input validation in the caching mechanism.
The Booktics plugin version 1.0.21 and earlier contains an unauthenticated PHP Object Injection vulnerability. An attacker can remotely inject a malicious PHP object without authentication.
The Modula - PRO plugin version 2.10.8 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The WPAdverts plugin version 2.3.1 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The ChatBot plugin version 8.3.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Survey Maker plugin for WordPress versions 5.2.2.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows a remote attacker to inject malicious script without requiring authentication.
The eCommerce Product Catalog plugin version 3.5.4 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The ReviewX plugin for WordPress versions 2.3.10 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Customize My Account for WooCommerce plugin version 4.3.9 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject a malicious script that executes in the victim's browser.
The Search Atlas SEO plugin version 2.6.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The MC Woocommerce Wishlist plugin version 1.9.19 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains a broken access control vulnerability exploitable by subscribers. This allows users with the subscriber role to perform unauthorized actions.
The JetReviews plugin version 3.0.0.1 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. It allows injection of malicious scripts into the page by a user with the subscriber role.
The Link Whisper Premium plugin version 2.9.0 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.
The ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce plugin version 2.2.0 and earlier contains a vulnerability allowing an unauthenticated attacker to break the authentication mechanism. This flaw enables bypassing the login process and gaining unauthorized access to administrative functions.
The HandL UTM Grabber plugin version 2.9.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript without requiring authentication.
The WP Debugging plugin version 2.12.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The WPeMatico RSS Feed Fetcher plugin versions up to 2.8.17 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.
The Paid Member Subscriptions plugin version 3.0.4 and earlier contains an unauthenticated Server Side Request Forgery (SSRF) vulnerability. An attacker can send crafted HTTP requests that are executed by the server, enabling access to internal network resources.
The Hotel Booking Lite plugin version 6.0.3 and earlier exposes sensitive subscriber data. This vulnerability allows unauthorized users to access confidential information stored in the system.

