CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 4.1.4 via deserialization of untrusted input. This allows authenticated attackers with administrator-level access to inject a PHP Object.
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to and including 4.1.4 via the 'import-user-file' parameter. This allows authenticated attackers with administrator-level access and above to read the contents of arbitrary files on the server.
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.3.4. The `qckply_data()` function passes the user-supplied `filename` POST parameter directly to `file_get_contents()` without validation, allowing authenticated attackers with Administrator-level access to read arbitrary files on the server.
The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'jtlma_custom_js' Page Setting. Authenticated attackers with author-level access can inject arbitrary web scripts that will execute whenever a user accesses the injected page.
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 6.2. The pagelist_unqprfx_ext_shortcode() function accepts attacker-controlled attributes, allowing the disclosure of private and draft page content.
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.6.0. This is due to missing or incorrect nonce validation on the change_status function.
The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 5.1.7. The issue arises from improper verification of user permissions, allowing attackers with contributor-level access and above to create and execute RSS import jobs and delete associated posts.
The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Shortcode Attributes in all versions up to and including 1.2.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'type' attribute of the [stripe-express] shortcode in versions up to and including 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value.
The Event Monster plugin for managing events in WordPress is vulnerable to insufficient verification of data authenticity in versions up to 2.1.0. The issue arises from the AJAX handler capture_payment() trusting client-supplied payment data without server-side verification.
The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function.
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to and including 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
The Charitable – Donation Plugin for WordPress is vulnerable to Insecure Direct Object Reference, leading to arbitrary attachment deletion. This issue affects versions up to 1.8.11.1 and is due to a lack of validation of the attachment owner during the profile avatar update.
The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 2.1.3. This is due to improper verification of user permissions, allowing attackers with subscriber-level access and above to access private alba_card post data.
Python versions prior to 3.15 have an issue with the `idna.encode()` function that can be exploited to perform a denial-of-service attack by processing specially crafted arguments. High values of N in payloads can lead to long processing times.
HAX CMS, used for managing microsites with PHP or NodeJs backends, has an improper session termination vulnerability in versions prior to 26.0.0. Authentication tokens remain valid after user logout, allowing attackers to maintain persistent access to CMS functionality.
HAX CMS prior to version 26.0.0 contains an Authenticated Local File Inclusion (LFI) vulnerability in the saveOutline endpoint, allowing a low-privileged user to read arbitrary files on the server. This vulnerability can be exploited by attackers to exfiltrate sensitive system files.
HAX CMS is a microsite management system with PHP or NodeJS backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint.
OpenXDMoD prior to version 11.0.3 has a vulnerability that allows an authenticated attacker to inject malicious JavaScript into the user profile. By abusing the password reset functionality, the attacker can send a link to a malicious HTML page, potentially leading to account takeover.
In OpenXDMoD prior to version 11.0.3, a flaw in access control logic allows an attacker to submit a crafted HTTPS POST request, enabling them to bypass data access restrictions. This vulnerability affects installations that include the optional Job Performance (SUPReMM) module.

