CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-40793
Medium

Versions of Groundhogg below 4.4.1 have a broken access control issue for subscribers, potentially allowing unauthorized access to data.

CVE-2026-40792
Medium

In KiviCare versions <= 4.2.1, there is a vulnerability related to Insecure Direct Object References (IDOR) for subscribers.

CVE-2026-40790
Medium

There is a vulnerability in WP SMS versions up to 7.2.1 that exposes sensitive subscriber data.

CVE-2026-40782
Medium

WPAdverts versions <= 2.3.0 have an issue with unauthenticated access that can lead to broken access control.

CVE-2026-40773
Medium

Versions of rtMedia for WordPress, BuddyPress, and bbPress up to 4.7.9 have a vulnerability in access control that may allow unauthorized subscribers to access resources.

CVE-2026-40743
Medium

Versions of Tutor LMS up to 3.9.7 have an issue with unauthenticated access that can lead to broken access control.

CVE-2026-39594
Medium

There is a broken access control issue in Ultra Addons for WPForms versions <= 1.0.11 that may allow unauthorized users to access subscriber resources.

CVE-2026-39584
Medium

RepairBuddy versions up to 4.1132 have a broken access control issue that may allow subscribers unauthorized access to resources.

CVE-2026-39540
Medium

There is a Cross Site Scripting (XSS) vulnerability in Shipment Tracker for Woocommerce versions up to 1.5.3.2 affecting subscribers.

CVE-2026-39527
Medium

WpStream versions below 4.11.2 have a vulnerability allowing subscribers to upload arbitrary files.

CVE-2026-39525
Medium

Booking Activities versions up to 1.16.48.1 have a vulnerability in access control that allows unauthorized access.

CVE-2026-39515
Medium

Versions of the engine below 1.4.107 have a broken access control issue for subscribers, which may lead to unauthorized access to resources.

CVE-2026-39491
Medium

There is a Cross Site Scripting (XSS) vulnerability for subscribers in JupiterX Core versions <= 4.14.1.

CVE-2026-39489
Medium

In Download Monitor versions <= 5.1.9, there is a vulnerability that allows unauthorized users to download arbitrary files.

CVE-2026-39468
Medium

In Meta Box, a WordPress custom fields framework, there is a vulnerability allowing arbitrary file deletion by a contributor in versions up to 5.11.1.

CVE-2026-39451
Medium

The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.

CVE-2026-34892
Medium

There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.

CVE-2026-25440
Medium

Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.

CVE-2025-69332
Medium

There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.

CVE-2025-68049
Medium

Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

PreviousPage 100 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS