CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-44040
Medium

UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. The vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand(), resulting in a seed space of approximately 31 bits determined by publicly observable values. An attacker can predict the challenge within seconds, enabling forgery or offline brute-forcing of responses.

CVE-2026-2387
Medium

The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping.

CVE-2026-13731
High

The WPBot – AI ChatBot plugin for WordPress up to version 8.4.9 is vulnerable to stored cross-site scripting via the 'conversation' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access affected pages. The AJAX nonce required for saving is publicly exposed on every frontend page, removing practical exploitation barriers.

CVE-2026-13468
High

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress up to version 4.0.3 is vulnerable to authorization bypass. Unauthenticated attackers can access and export any visualizer chart, including those in draft, private, pending, future, or trash status, as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint.

CVE-2026-13443
Medium

The Tutor LMS plugin for WordPress up to version 3.9.13 inclusive is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title due to insufficient input sanitization and output escaping.

CVE-2026-13246
Medium

The GiveWP plugin for WordPress up to 4.16.0 is vulnerable to stored XSS via the 'givewp_campaign_comments' shortcode attributes. Authenticated attackers with author-level access can inject arbitrary scripts that execute on every page visit.

CVE-2026-13015
Medium

The Wp Google Places Review Slider plugin for WordPress up to version 18.1 is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter. Insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php allow unauthenticated attackers to inject arbitrary scripts that execute when a user clicks a crafted link.

CVE-2026-12923
High

The Youtube Showcase plugin for WordPress up to version 4.0.3 is vulnerable to arbitrary PHP function call due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler. Authenticated attackers with Subscriber-level access or higher can invoke zero-argument functions like phpinfo or phpversion, leading to information disclosure.

CVE-2026-12904
Medium

The Kadence Blocks plugin for WordPress up to version 3.7.7 is vulnerable to Insecure Direct Object Reference (IDOR). The authorization check uses a user-supplied post_id, but the actual read/delete operations on optimizer analysis records are performed using a hash of the post_path, which can be manipulated by the attacker. This allows authenticated attackers with Contributor-level access or higher to read or delete analysis records belonging to other users' posts.

CVE-2026-12902
Medium

The Kadence Blocks plugin for WordPress up to version 3.7.7 fails to properly verify user authorization, allowing authenticated attackers with contributor-level access or higher to create arbitrary Media Library attachments. Attackers can remotely download images to the uploads directory, bypassing the upload_files capability boundary.

CVE-2026-12135
Medium

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to and including 7.5.51.7212 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages.

CVE-2026-12133
Medium

The JoomSport plugin for WordPress up to version 5.7.8 contains a missing authorization vulnerability in the joomsport_season_groupdel() AJAX handler. It allows authenticated attackers with Subscriber-level access or higher to delete arbitrary JoomSport groups without proper capability checks.

CVE-2026-12127
Medium

The WPForms plugin for WordPress up to version 1.10.2 is vulnerable to CRLF Injection, allowing email header injection. The flaw occurs due to improper handling of the Reply-To display name, enabling unauthenticated attackers to inject arbitrary headers like Bcc into outgoing notification emails.

CVE-2026-12113
Medium

The Appointment Booking Calendar plugin for WordPress up to version 1.4.02 exposes sensitive information via the cpabc_appointments_filter_list parameter. This allows authenticated attackers with contributor-level access or higher to extract customer personal identifiable information such as names, email addresses, phone numbers, appointment comments, and other booking details.

CVE-2026-12110
Medium

The Taskbuilder plugin for WordPress up to version 5.0.8 is vulnerable to generic SQL injection via the 'task_search' parameter due to insufficient escaping and lack of query preparation. Authenticated attackers with subscriber-level access or higher can append malicious SQL queries.

CVE-2026-12090
Medium

The Taskbuilder plugin for WordPress is vulnerable to generic SQL injection via the 'wppm_proj_filter' parameter in versions up to 5.0.8. Insufficient escaping and lack of query preparation allow authenticated attackers (subscriber-level and above) to append additional SQL queries, enabling extraction of sensitive database information.

CVE-2026-11988
Medium

The LearnPress WordPress LMS plugin up to version 4.3.9.1 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'userId' parameter. An authenticated attacker with subscriber-level access or higher can view course enrollment progress and completion data belonging to instructors and administrators.

CVE-2026-11981
Medium

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.15.3. This is due to missing nonce validation on the give_set_notification_status_handler() function, allowing unauthenticated attackers to disable donation email notifications via a forged request.

CVE-2026-11380
Medium

The JetWidgets For Elementor plugin for WordPress up to version 1.0.21 is vulnerable to Stored Cross-Site Scripting (XSS). This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. Authenticated attackers with author-level access or higher can inject arbitrary web scripts that execute when a user visits an injected page.

CVE-2026-20463
Medium

In the Modem module, a vulnerability was found that allows privilege escalation through a permissions bypass. This can be exploited locally if the attacker already has System privileges. User interaction is not required for exploitation.

PreviousPage 54 of 4510Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS