CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the SpaLab Beauty Salon WordPress Theme version 6.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.
The Trendy Travel plugin version 6.7 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The Artale | Wedding Photography WordPress plugin version 2.2.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The OpenAI Chatbot for WordPress – Helper plugin version 1.1.4 and earlier contains a vulnerability allowing unauthenticated attackers to delete arbitrary content. The flaw is due to missing authorization and input validation.
The Tourmaster plugin version 5.4.5 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by a subscriber. An authenticated user with the subscriber role can read arbitrary files on the server.
The Corpkit plugin version 1.0.5 and earlier allows exposure of sensitive subscriber data. This vulnerability enables unauthorized users to access confidential information.
The Unicamp plugin version 2.2.2 and earlier contains a SQL injection vulnerability exploitable by subscribers. An attacker with subscriber privileges can inject malicious SQL queries, potentially leading to unauthorized database access.
The Woostify Sites Library plugin version 1.6.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to template library functions.
An unauthenticated Local File Inclusion vulnerability exists in Lighthouse versions up to 1.2.12. It allows an attacker to read arbitrary files from the server without authentication.
In the liboauth2 library, the DPoP verifier accepts a proof whose jwk header contains private key material. The oauth2_token_verify() function returns success for a malformed DPoP proof embedding a private EC key, violating RFC 9449 requirements.
The liboauth2 library is vulnerable to Server-Side Request Forgery (SSRF) in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, the kid value is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET request is issued before signature verification.
The WP Database Backup plugin for WordPress up to version 7.11 is vulnerable to OS command injection via the `wp_db_exclude_table` parameter. An authenticated attacker with administrator privileges can inject malicious data that is directly concatenated into the `mysqldump` command without proper escaping, allowing arbitrary command execution on the server.
The Wappointment plugin for WordPress up to version 2.7.6 contains an Insecure Direct Object Reference (IDOR) vulnerability. The authorization key `edit_key` is generated as a predictable, unsalted MD5 hash of a sequential client ID, a publicly observable timestamp, and a small staff ID, allowing unauthenticated attackers to compute it and cancel or reschedule other users' appointments.
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress up to version 1.5.1 contains an arbitrary file copy vulnerability. The create_entry_el() function passes the raw_value from Elementor Pro's Form_Record object directly to PHP's copy() without validation, allowing an attacker to copy any file from the server or from an external URL.
A vulnerability was discovered in StormShield Network Security versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5, allowing a possible leak of secret information when administration commands are passed via the CLI tool. An attacker with SSH access to the firewall (if SSH multiuser mode is enabled) could potentially obtain the proxy CA passphrase or TPM password.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter in the wprp_load_more_revs AJAX action. The unsanitized value is concatenated directly into an AND id NOT IN (...) clause, allowing unauthenticated attackers to extract database data.
The vulnerability in PIA uses a bare string-prefix check for the OIDC issuer allowlist instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer that passes the prefix check but points to a controlled server. This allows an unauthenticated caller of POST /v1/upload/sbom to force outbound HTTP(S) requests to an arbitrary host and accept a JWT signed with the attacker's key.
The Groundhogg plugin for WordPress (versions up to 4.5.8) is vulnerable to SQL injection via the 'select' parameter. An authenticated attacker with custom-level access or higher can append additional SQL queries, enabling extraction of sensitive database information.
The JetFormBuilder plugin for WordPress up to version 3.6.3 has an authorization bypass vulnerability, allowing unauthenticated attackers to retrieve any values from post meta, including WooCommerce PII, order totals, attachment paths, and third-party plugin credentials. Exploitation requires at least one published form with a get_from_db generator field.
The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 is vulnerable to Arbitrary File Read. The attach_files() function improperly handles a raw attacker-controlled 'files' array, bypassing upload validation, path normalization, and database record creation, allowing an unauthenticated attacker to read arbitrary files on the server.

