CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Versions of Groundhogg below 4.4.1 have a broken access control issue for subscribers, potentially allowing unauthorized access to data.
In KiviCare versions <= 4.2.1, there is a vulnerability related to Insecure Direct Object References (IDOR) for subscribers.
There is a vulnerability in WP SMS versions up to 7.2.1 that exposes sensitive subscriber data.
WPAdverts versions <= 2.3.0 have an issue with unauthenticated access that can lead to broken access control.
Versions of rtMedia for WordPress, BuddyPress, and bbPress up to 4.7.9 have a vulnerability in access control that may allow unauthorized subscribers to access resources.
Versions of Tutor LMS up to 3.9.7 have an issue with unauthenticated access that can lead to broken access control.
There is a broken access control issue in Ultra Addons for WPForms versions <= 1.0.11 that may allow unauthorized users to access subscriber resources.
RepairBuddy versions up to 4.1132 have a broken access control issue that may allow subscribers unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability in Shipment Tracker for Woocommerce versions up to 1.5.3.2 affecting subscribers.
WpStream versions below 4.11.2 have a vulnerability allowing subscribers to upload arbitrary files.
Booking Activities versions up to 1.16.48.1 have a vulnerability in access control that allows unauthorized access.
Versions of the engine below 1.4.107 have a broken access control issue for subscribers, which may lead to unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability for subscribers in JupiterX Core versions <= 4.14.1.
In Download Monitor versions <= 5.1.9, there is a vulnerability that allows unauthorized users to download arbitrary files.
In Meta Box, a WordPress custom fields framework, there is a vulnerability allowing arbitrary file deletion by a contributor in versions up to 5.11.1.
The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.
There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.
Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.
There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.
Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

