CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the SpaLab Beauty Salon WordPress Theme version 6.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.
The Trendy Travel plugin version 6.7 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The Artale | Wedding Photography WordPress plugin version 2.2.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The OpenAI Chatbot for WordPress – Helper plugin version 1.1.4 and earlier contains a vulnerability allowing unauthenticated attackers to delete arbitrary content. The flaw is due to missing authorization and input validation.
The Tourmaster plugin version 5.4.5 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by a subscriber. An authenticated user with the subscriber role can read arbitrary files on the server.
The Unicamp plugin version 2.2.2 and earlier contains a SQL injection vulnerability exploitable by subscribers. An attacker with subscriber privileges can inject malicious SQL queries, potentially leading to unauthorized database access.
An unauthenticated Local File Inclusion vulnerability exists in Lighthouse versions up to 1.2.12. It allows an attacker to read arbitrary files from the server without authentication.
The WP Database Backup plugin for WordPress up to version 7.11 is vulnerable to OS command injection via the `wp_db_exclude_table` parameter. An authenticated attacker with administrator privileges can inject malicious data that is directly concatenated into the `mysqldump` command without proper escaping, allowing arbitrary command execution on the server.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter in the wprp_load_more_revs AJAX action. The unsanitized value is concatenated directly into an AND id NOT IN (...) clause, allowing unauthenticated attackers to extract database data.
The vulnerability in PIA uses a bare string-prefix check for the OIDC issuer allowlist instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer that passes the prefix check but points to a controlled server. This allows an unauthenticated caller of POST /v1/upload/sbom to force outbound HTTP(S) requests to an arbitrary host and accept a JWT signed with the attacker's key.
The Ninja Forms - File Uploads plugin for WordPress up to version 3.3.29 is vulnerable to Arbitrary File Read. The attach_files() function improperly handles a raw attacker-controlled 'files' array, bypassing upload validation, path normalization, and database record creation, allowing an unauthenticated attacker to read arbitrary files on the server.
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to and including 2.6.4 via the 's' parameter. This allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.
In Eclipse Parsson before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications parsing attacker-controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, leading to a denial of service.
In MLflow versions prior to 3.14.0, when authentication is enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation.
An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size, allowing an arbitrarily large string (up to ~3.9 GB) to be declared and delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out.
The Image Optimizer plugin for WordPress versions up to 1.7.4 is vulnerable to arbitrary file deletion due to insufficient path validation in the Image_Backup::remove() function. Backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. An authenticated attacker with Author-level access can inject arbitrary absolute file paths into the backups array via the Custom Fields interface, leading to file deletion when the attachment is deleted.
The Request a Quote plugin for WordPress up to version 2.5.5 is vulnerable to Code Injection via the emd_delete_file AJAX action. An unauthenticated attacker can invoke arbitrary zero-argument PHP functions, such as phpinfo(), by manipulating the $_POST['path'] parameter.
The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software contains a buffer overflow vulnerability in the handler for the `connectionInfo` command. An attacker on localhost can send crafted JSON data that is copied into fixed-size buffers without length checks, causing overflow.
The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software (GV-VMS, GV-Cloud) contains a buffer overflow vulnerability in the function handling the `connectionInfo` command. An attacker from localhost can send crafted JSON data that is copied into fixed-size buffers without length checking, causing overflow.
A buffer overflow vulnerability in GeoWebPlayer (Web Plugin) allows an attacker from localhost to execute code by sending a crafted WebSocket request with an overly long 'password' field. The handle_connection_info function copies data into fixed-size buffers without length checks, causing overflow.

