CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Cross Site Scripting (XSS) vulnerability in Neve PRO versions up to 3.1.2 inclusive. The flaw allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.
The SeedProd Pro plugin versions prior to 6.19.5 contain a Cross Site Scripting (XSS) vulnerability in the contributor function. It allows an attacker to inject malicious JavaScript code into pages generated by the plugin.
The Featured Image plugin for WordPress version 2.1 and earlier contains a Cross-Site Scripting (XSS) vulnerability in the author function. This allows an unauthenticated attacker to inject malicious JavaScript code.
The SEOPress PRO plugin version 9.1.1 and earlier contains a vulnerability related to broken access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be restricted.
The vulnerability in the GIFT4U plugin versions up to 1.0.10 allows unauthenticated attackers to bypass access controls. This can lead to unauthorized access to functions or data.
The Flash & HTML5 Video plugin version 2.11.0 and earlier contains an unauthenticated broken access control vulnerability. An attacker can gain unauthorized access to functions or data without required authentication.
The Site Reviews plugin version 8.0.11 and earlier allows sensitive subscriber data exposure. This vulnerability enables unauthorized users to access information that should be protected.
The vulnerability in GetGenie plugin versions up to 4.4.2 allows exposure of sensitive subscriber data. An attacker can access information that should be protected.
Cross Site Scripting (XSS) vulnerability in SureCart plugin versions up to 4.2.2, allowing a subscriber-level user to inject malicious script.
The ShortPixel Adaptive Images plugin versions up to 3.11.4 contain a vulnerability allowing an unauthenticated attacker to delete arbitrary files on the server. The flaw is due to missing proper authorization and input validation.
The Payment Gateway Based Fees and Discounts for WooCommerce plugin version 3.0.0 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access sensitive data or perform unauthorized operations without authentication.
Cross Site Scripting (XSS) vulnerability in ListingPro plugin versions up to 2.9.11, allowing subscriber-level users to inject malicious JavaScript code.
A Server Side Request Forgery (SSRF) vulnerability exists in the utm.codes plugin versions up to 1.9.0. It allows a Subscriber to send HTTP requests from the server to internal or external resources.
The User Registration plugin version 5.2.2 and earlier contains an unauthenticated broken access control vulnerability. An attacker without authentication can exploit this flaw to perform unauthorized actions.
A vulnerability in the Mattermost Agents plugin MCP server allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) by supplying internal URLs as file attachments in post creation requests. Affected versions are 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6.
A vulnerability in the thr_kill2(2) function of FreeBSD allows sending a signal to any process without checking permissions. The missing verification of the p_cansignal() result enables an unprivileged user to send signals to processes owned by other users or root, as well as across jail boundaries.
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
The vulnerability in SiteGround Email Marketing plugin versions up to 1.7.5 allows unauthenticated attackers to bypass access control. Lack of required authentication enables unauthorized operations on plugin resources.
The BNE Testimonials plugin version 2.0.8 and earlier contains a Cross Site Scripting (XSS) vulnerability from contributors. This allows injection of malicious JavaScript code by content authors.
Cross Site Scripting (XSS) vulnerability in Image Carousel plugin versions up to 1.0.0.41 allows an attacker to inject malicious JavaScript code into the page. The flaw is due to insufficient input sanitization.

