CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57349
High

The WPeMatico RSS Feed Fetcher plugin versions up to 2.8.17 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.

CVE-2026-57348
High

The Paid Member Subscriptions plugin version 3.0.4 and earlier contains an unauthenticated Server Side Request Forgery (SSRF) vulnerability. An attacker can send crafted HTTP requests that are executed by the server, enabling access to internal network resources.

CVE-2026-57345
High

The Internal Links Manager plugin version 3.0.3 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject a malicious script that executes in the victim's browser.

CVE-2026-57344
High

The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. This allows an attacker to inject malicious JavaScript code without requiring authentication.

CVE-2026-57343
High

Real Estate 7 plugin version 3.5.9 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-56037
High

The Themify Popup WordPress plugin contains a deserialization of untrusted data vulnerability allowing object injection. This issue affects all versions up to and including 1.4.3.

CVE-2026-42382
High

The Audrey plugin version 1.5 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without authentication.

CVE-2026-39448
High

The NOWPayments for WooCommerce plugin version 1.4.0 and earlier contains an unauthenticated Broken Access Control vulnerability. An attacker without authentication can gain unauthorized access to functions or data.

CVE-2026-27430
High

TheFox plugin versions up to 3.9.76 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.

CVE-2026-27426
High

The Automotive Car Dealership Business plugin versions up to 13.3.3 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious script without authentication.

CVE-2026-27425
High

The Automotive Listings plugin version 18.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject a malicious script without requiring authentication.

CVE-2026-27414
High

The Werkstatt plugin for WordPress versions 4.8.3 and earlier contains a PHP Object Injection vulnerability via the contributor mechanism. This allows an attacker to inject malicious objects, potentially leading to remote code execution.

CVE-2026-27412
High

The Pearl - Corporate Business plugin version 3.4.10 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without requiring authentication.

CVE-2026-27408
High

The NativeChurch plugin versions up to 4.8.8.2 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-27404
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in LMS version 9.7 and earlier. It allows a remote attacker to inject malicious scripts without authentication.

CVE-2026-27402
High

The Kids Life | Children School WordPress plugin version 5.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-27060
High

The ARMember Premium plugin version 7.0 and earlier contains a PHP Object Injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject a malicious PHP object, potentially leading to remote code execution.

CVE-2026-11946
High

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length, allowing an arbitrarily large string (up to ~4.09 GB) to be declared and delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out.

CVE-2025-69156
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Kids Zone - Children WordPress theme version 5.4 and earlier. It allows a remote attacker to inject malicious JavaScript code without requiring authentication.

CVE-2025-69155
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Fitness Zone WordPress Theme version 5.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.

PreviousPage 11 of 3305Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS