CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. The vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand(), resulting in a seed space of approximately 31 bits determined by publicly observable values. An attacker can predict the challenge within seconds, enabling forgery or offline brute-forcing of responses.
The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping.
The WPBot – AI ChatBot plugin for WordPress up to version 8.4.9 is vulnerable to stored cross-site scripting via the 'conversation' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access affected pages. The AJAX nonce required for saving is publicly exposed on every frontend page, removing practical exploitation barriers.
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress up to version 4.0.3 is vulnerable to authorization bypass. Unauthenticated attackers can access and export any visualizer chart, including those in draft, private, pending, future, or trash status, as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint.
The Tutor LMS plugin for WordPress up to version 3.9.13 inclusive is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title due to insufficient input sanitization and output escaping.
The GiveWP plugin for WordPress up to 4.16.0 is vulnerable to stored XSS via the 'givewp_campaign_comments' shortcode attributes. Authenticated attackers with author-level access can inject arbitrary scripts that execute on every page visit.
The Wp Google Places Review Slider plugin for WordPress up to version 18.1 is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter. Insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php allow unauthenticated attackers to inject arbitrary scripts that execute when a user clicks a crafted link.
The Youtube Showcase plugin for WordPress up to version 4.0.3 is vulnerable to arbitrary PHP function call due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler. Authenticated attackers with Subscriber-level access or higher can invoke zero-argument functions like phpinfo or phpversion, leading to information disclosure.
The Kadence Blocks plugin for WordPress up to version 3.7.7 is vulnerable to Insecure Direct Object Reference (IDOR). The authorization check uses a user-supplied post_id, but the actual read/delete operations on optimizer analysis records are performed using a hash of the post_path, which can be manipulated by the attacker. This allows authenticated attackers with Contributor-level access or higher to read or delete analysis records belonging to other users' posts.
The Kadence Blocks plugin for WordPress up to version 3.7.7 fails to properly verify user authorization, allowing authenticated attackers with contributor-level access or higher to create arbitrary Media Library attachments. Attackers can remotely download images to the uploads directory, bypassing the upload_files capability boundary.
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to and including 7.5.51.7212 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages.
The JoomSport plugin for WordPress up to version 5.7.8 contains a missing authorization vulnerability in the joomsport_season_groupdel() AJAX handler. It allows authenticated attackers with Subscriber-level access or higher to delete arbitrary JoomSport groups without proper capability checks.
The WPForms plugin for WordPress up to version 1.10.2 is vulnerable to CRLF Injection, allowing email header injection. The flaw occurs due to improper handling of the Reply-To display name, enabling unauthenticated attackers to inject arbitrary headers like Bcc into outgoing notification emails.
The Appointment Booking Calendar plugin for WordPress up to version 1.4.02 exposes sensitive information via the cpabc_appointments_filter_list parameter. This allows authenticated attackers with contributor-level access or higher to extract customer personal identifiable information such as names, email addresses, phone numbers, appointment comments, and other booking details.
The Taskbuilder plugin for WordPress up to version 5.0.8 is vulnerable to generic SQL injection via the 'task_search' parameter due to insufficient escaping and lack of query preparation. Authenticated attackers with subscriber-level access or higher can append malicious SQL queries.
The Taskbuilder plugin for WordPress is vulnerable to generic SQL injection via the 'wppm_proj_filter' parameter in versions up to 5.0.8. Insufficient escaping and lack of query preparation allow authenticated attackers (subscriber-level and above) to append additional SQL queries, enabling extraction of sensitive database information.
The LearnPress WordPress LMS plugin up to version 4.3.9.1 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'userId' parameter. An authenticated attacker with subscriber-level access or higher can view course enrollment progress and completion data belonging to instructors and administrators.
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.15.3. This is due to missing nonce validation on the give_set_notification_status_handler() function, allowing unauthenticated attackers to disable donation email notifications via a forged request.
The JetWidgets For Elementor plugin for WordPress up to version 1.0.21 is vulnerable to Stored Cross-Site Scripting (XSS). This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. Authenticated attackers with author-level access or higher can inject arbitrary web scripts that execute when a user visits an injected page.
In the Modem module, a vulnerability was found that allows privilege escalation through a permissions bypass. This can be exploited locally if the attacker already has System privileges. User interaction is not required for exploitation.

