CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57353
Medium

The Link Whisper Premium plugin version 2.9.0 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.

CVE-2026-57352
Medium

The ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce plugin version 2.2.0 and earlier contains a vulnerability allowing an unauthenticated attacker to break the authentication mechanism. This flaw enables bypassing the login process and gaining unauthorized access to administrative functions.

CVE-2026-57351
High

The HandL UTM Grabber plugin version 2.9.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript without requiring authentication.

CVE-2026-57350
High

The WP Debugging plugin version 2.12.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57349
High

The WPeMatico RSS Feed Fetcher plugin versions up to 2.8.17 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.

CVE-2026-57348
High

The Paid Member Subscriptions plugin version 3.0.4 and earlier contains an unauthenticated Server Side Request Forgery (SSRF) vulnerability. An attacker can send crafted HTTP requests that are executed by the server, enabling access to internal network resources.

CVE-2026-57347
Medium

The Hotel Booking Lite plugin version 6.0.3 and earlier exposes sensitive subscriber data. This vulnerability allows unauthorized users to access confidential information stored in the system.

CVE-2026-57345
High

The Internal Links Manager plugin version 3.0.3 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject a malicious script that executes in the victim's browser.

CVE-2026-57344
High

The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. This allows an attacker to inject malicious JavaScript code without requiring authentication.

CVE-2026-57343
High

Real Estate 7 plugin version 3.5.9 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57342
Medium

The ShortPixel Adaptive Images plugin version 3.11.3 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. This allows a subscriber-level user to inject malicious JavaScript code into the page.

CVE-2026-56037
High

The Themify Popup WordPress plugin contains a deserialization of untrusted data vulnerability allowing object injection. This issue affects all versions up to and including 1.4.3.

CVE-2026-49779
Medium

The Tax Exempt for WooCommerce plugin version 1.9.3 and earlier contains a Customer Path Traversal vulnerability that allows unauthorized access to files outside the root directory.

CVE-2026-42382
High

The Audrey plugin version 1.5 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without authentication.

CVE-2026-39448
High

The NOWPayments for WooCommerce plugin version 1.4.0 and earlier contains an unauthenticated Broken Access Control vulnerability. An attacker without authentication can gain unauthorized access to functions or data.

CVE-2026-27436
Critical

The Five Star Business Profile and Schema WordPress plugin version 2.3.19 and earlier contains an editor arbitrary code execution vulnerability. An attacker can exploit this flaw to gain full control over the website.

CVE-2026-27433
Medium

The Motors plugin versions up to 5.6.80 contain an unauthenticated broken access control vulnerability. An attacker without authentication can bypass security measures and gain unauthorized access to functions or data.

CVE-2026-27430
High

TheFox plugin versions up to 3.9.76 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.

CVE-2026-27426
High

The Automotive Car Dealership Business plugin versions up to 13.3.3 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious script without authentication.

CVE-2026-27425
High

The Automotive Listings plugin version 18.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject a malicious script without requiring authentication.

PreviousPage 32 of 4511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS