CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An unauthenticated Cross Site Request Forgery (CSRF) vulnerability exists in Booked version 3.0.0 and earlier. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The Booked plugin version 3.0.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A subscriber can gain unauthorized access to functions intended for higher roles.
The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data that should be restricted.
The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for subscribers. This allows unauthorized users with the subscriber role to access functions or data they should not have permissions for.
The Werkstatt plugin version 4.7.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.
The Werkstatt plugin in versions 4.7.2 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to gain unauthorized access to functions or data.
A vulnerability in POS Entegratör versions up to 3.7.103 allows unauthenticated attackers to bypass access controls. This means an attacker without valid credentials can gain unauthorized access to system functions or data.
The Custom Field Template plugin for WordPress versions 2.7.8 and earlier contains a Contributor SQL Injection vulnerability. An attacker with contributor privileges can inject malicious SQL queries into the database.
The WowAddons plugin version 1.6.14 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The Martfury - WooCommerce Marketplace WordPress theme version 3.2.8 and earlier contains a broken access control vulnerability for subscribers. It allows users with the subscriber role to gain unauthorized access to functions or data that should be restricted.
The TheFox plugin for WordPress versions 3.9.70 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.
The WP Fast Total Search plugin version 1.80.280 and earlier contains an unauthenticated SQL injection vulnerability. An attacker without authentication can send crafted queries to the database.
The Simple Link Directory plugin version 15.0.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The GeoDirectory plugin version 2.8.161 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability exploitable by subscribers. This allows an attacker with subscriber privileges to send HTTP requests to internal server resources.
The Kirki plugin version 6.0.11 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access protected resources or data without authentication.
GeekyBot versions up to 1.2.5 are vulnerable to unauthenticated SQL injection. An attacker can remotely execute arbitrary SQL queries without authentication.
The Slider Revolution plugin versions 7.0.0 through 7.0.16 contain a reflected Cross-site Scripting (XSS) vulnerability due to improper input neutralization during web page generation. An attacker can inject a malicious script into an HTTP request that will be executed in the victim's browser.
The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.
The WP Photo Album Plus plugin version 9.2.02.004 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Timetics plugin version 1.0.58 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

