CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The Corpkit plugin version 1.0.5 and earlier allows exposure of sensitive subscriber data. This vulnerability enables unauthorized users to access confidential information.
The Woostify Sites Library plugin version 1.6.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to template library functions.
In the liboauth2 library, the DPoP verifier accepts a proof whose jwk header contains private key material. The oauth2_token_verify() function returns success for a malformed DPoP proof embedding a private EC key, violating RFC 9449 requirements.
The liboauth2 library is vulnerable to Server-Side Request Forgery (SSRF) in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, the kid value is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET request is issued before signature verification.
The Wappointment plugin for WordPress up to version 2.7.6 contains an Insecure Direct Object Reference (IDOR) vulnerability. The authorization key `edit_key` is generated as a predictable, unsalted MD5 hash of a sequential client ID, a publicly observable timestamp, and a small staff ID, allowing unauthenticated attackers to compute it and cancel or reschedule other users' appointments.
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress up to version 1.5.1 contains an arbitrary file copy vulnerability. The create_entry_el() function passes the raw_value from Elementor Pro's Form_Record object directly to PHP's copy() without validation, allowing an attacker to copy any file from the server or from an external URL.
A vulnerability was discovered in StormShield Network Security versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5, allowing a possible leak of secret information when administration commands are passed via the CLI tool. An attacker with SSH access to the firewall (if SSH multiuser mode is enabled) could potentially obtain the proxy CA passphrase or TPM password.
The Groundhogg plugin for WordPress (versions up to 4.5.8) is vulnerable to SQL injection via the 'select' parameter. An authenticated attacker with custom-level access or higher can append additional SQL queries, enabling extraction of sensitive database information.
The JetFormBuilder plugin for WordPress up to version 3.6.3 has an authorization bypass vulnerability, allowing unauthenticated attackers to retrieve any values from post meta, including WooCommerce PII, order totals, attachment paths, and third-party plugin credentials. Exploitation requires at least one published form with a get_from_db generator field.
The RSS Aggregator by Feedzy plugin for WordPress up to version 5.2.1 is vulnerable to stored XSS via the 'aspectRatio' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users access affected pages.
The LatePoint plugin for WordPress up to version 5.6.2 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'service_id' parameter. Missing validation allows unauthenticated attackers to create approved bookings for admin/agent-only services, consuming restricted capacity.
The Kirki plugin for WordPress up to version 6.0.11 has an authorization bypass vulnerability. An unauthenticated attacker can send arbitrary HTML-injected emails, including phishing messages with a real password reset link, using the site's mail server and its SPF/DKIM reputation.
The JoomSport plugin for WordPress up to version 5.7.8 contains an authorization bypass vulnerability. It allows authenticated attackers with subscriber-level access or higher to create arbitrary season groups and modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages rendering a JoomSport shortcode.
The Kirki plugin for WordPress up to version 6.0.11 is vulnerable to sensitive information exposure via the get_single_symbol function. Unauthenticated attackers can extract full builder metadata and rendered HTML of any kirki_symbol post, including unpublished drafts, by supplying a sequential WordPress post ID.
The My Calendar – Accessible Event Manager plugin for WordPress up to version 3.7.14 inclusive contains an Insecure Direct Object Reference (IDOR) vulnerability via the 'vcal' parameter. Missing validation on a user-controlled key allows unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events.
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_thumbnail parameter in all versions up to and including 1.5.1.8 due to insufficient input sanitization and output escaping.
The Academy LMS WordPress plugin up to version 3.8.1 is vulnerable to Insecure Direct Object Reference (IDOR) in the '/topics' REST API endpoint. Lack of permission checks allows unauthenticated attackers to access detailed course data, including private, draft, scheduled, or password-protected courses.
The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in versions up to and including 4.16.1 due to insufficient input sanitization and output escaping.
The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to and including 2.5.46. This is due to insufficient escaping and lack of proper SQL query preparation in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table and Houzez_Property_Feed_Admin_Logs_Import_Table classes.
The User Registration & Membership WordPress plugin before version 5.2.0 does not enforce payment completion before activating a paid membership subscription. This allows unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

