CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The PPWP plugin version 1.9.19 and earlier contains an Insecure Direct Object References (IDOR) vulnerability in the contributor functionality. This allows unauthorized access to private data.
The WCBoost – Products Compare plugin in versions 1.1.0 and below allows unauthenticated users to access sensitive data. This vulnerability stems from a lack of proper security on API endpoints or pages that display confidential information.
The Email Marketing for WooCommerce by Omnisend plugin in versions 1.19.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to administrative functions.
SQL Injection vulnerability in Popup box versions up to 6.0.1 allows an administrator to inject malicious SQL code. An attacker with admin privileges can manipulate database queries.
The Blocksy Companion Pro plugin version 2.1.46 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access resources that should be protected without authentication.
The StatCounter plugin version 2.1.1 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.
SQL Injection vulnerability in WP All Import plugin versions up to 4.0.1 allows an administrator to inject malicious SQL code into the database.
Server Side Request Forgery (SSRF) vulnerability in Kirki plugin versions up to 6.0.11 allows a subscriber to send HTTP requests from the server to internal network resources.
The WPCafe plugin in version 3.0.14 and earlier contains a vulnerability of broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.
Cross Site Scripting (XSS) vulnerability in Neve PRO versions up to 3.1.2 inclusive. The flaw allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.
The SeedProd Pro plugin versions prior to 6.19.5 contain a Cross Site Scripting (XSS) vulnerability in the contributor function. It allows an attacker to inject malicious JavaScript code into pages generated by the plugin.
The ViewState add-on for Zed Attack Proxy (ZAP) before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve remote code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
The Featured Image plugin for WordPress version 2.1 and earlier contains a Cross-Site Scripting (XSS) vulnerability in the author function. This allows an unauthenticated attacker to inject malicious JavaScript code.
The SEOPress PRO plugin version 9.1.1 and earlier contains a vulnerability related to broken access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be restricted.
The vulnerability allows an unauthenticated attacker to inject malicious script (XSS) in NanoMag version 1.8 and earlier. The attack can be performed without authentication, increasing the risk for users.
The vulnerability in the GIFT4U plugin versions up to 1.0.10 allows unauthenticated attackers to bypass access controls. This can lead to unauthorized access to functions or data.
The Flash & HTML5 Video plugin version 2.11.0 and earlier contains an unauthenticated broken access control vulnerability. An attacker can gain unauthorized access to functions or data without required authentication.
Unauthenticated Cross Site Scripting (XSS) vulnerability in weMail versions up to 2.1.2.
The H5P plugin version 1.17.7 and earlier contains a vulnerability allowing a contributor to delete arbitrary files on the server. The flaw is due to insufficient permission validation during file deletion operations.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in FOX versions 1.4.8 and earlier. It allows a remote attacker to inject malicious script without authentication.

