CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57747
Medium

An unauthenticated Cross Site Request Forgery (CSRF) vulnerability exists in Booked version 3.0.0 and earlier. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.

CVE-2026-57746
High

The Booked plugin version 3.0.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A subscriber can gain unauthorized access to functions intended for higher roles.

CVE-2026-57731
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data that should be restricted.

CVE-2026-57730
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for subscribers. This allows unauthorized users with the subscriber role to access functions or data they should not have permissions for.

CVE-2026-57690
Medium

The Werkstatt plugin version 4.7.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.

CVE-2026-57689
Medium

The Werkstatt plugin in versions 4.7.2 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to gain unauthorized access to functions or data.

CVE-2026-57688
High

A vulnerability in POS Entegratör versions up to 3.7.103 allows unauthenticated attackers to bypass access controls. This means an attacker without valid credentials can gain unauthorized access to system functions or data.

CVE-2026-57687
High

The Custom Field Template plugin for WordPress versions 2.7.8 and earlier contains a Contributor SQL Injection vulnerability. An attacker with contributor privileges can inject malicious SQL queries into the database.

CVE-2026-57686
High

The WowAddons plugin version 1.6.14 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57685
Medium

The Martfury - WooCommerce Marketplace WordPress theme version 3.2.8 and earlier contains a broken access control vulnerability for subscribers. It allows users with the subscriber role to gain unauthorized access to functions or data that should be restricted.

CVE-2026-57684
Medium

The TheFox plugin for WordPress versions 3.9.70 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.

CVE-2026-57683
Critical

The WP Fast Total Search plugin version 1.80.280 and earlier contains an unauthenticated SQL injection vulnerability. An attacker without authentication can send crafted queries to the database.

CVE-2026-57682
High

The Simple Link Directory plugin version 15.0.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57681
Medium

The GeoDirectory plugin version 2.8.161 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability exploitable by subscribers. This allows an attacker with subscriber privileges to send HTTP requests to internal server resources.

CVE-2026-57680
Medium

The Kirki plugin version 6.0.11 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access protected resources or data without authentication.

CVE-2026-57679
Critical

GeekyBot versions up to 1.2.5 are vulnerable to unauthenticated SQL injection. An attacker can remotely execute arbitrary SQL queries without authentication.

CVE-2026-57678
High

The Slider Revolution plugin versions 7.0.0 through 7.0.16 contain a reflected Cross-site Scripting (XSS) vulnerability due to improper input neutralization during web page generation. An attacker can inject a malicious script into an HTTP request that will be executed in the victim's browser.

CVE-2026-57677
Critical

The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.

CVE-2026-57675
High

The WP Photo Album Plus plugin version 9.2.02.004 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57674
High

The Timetics plugin version 1.0.58 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

PreviousPage 30 of 4511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS