CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-7566
Medium

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 4.1.4 via deserialization of untrusted input. This allows authenticated attackers with administrator-level access to inject a PHP Object.

CVE-2026-7565
Medium

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to and including 4.1.4 via the 'import-user-file' parameter. This allows authenticated attackers with administrator-level access and above to read the contents of arbitrary files on the server.

CVE-2026-2500
Medium

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.3.4. The `qckply_data()` function passes the user-supplied `filename` POST parameter directly to `file_get_contents()` without validation, allowing authenticated attackers with Administrator-level access to read arbitrary files on the server.

CVE-2026-9281
Medium

The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'jtlma_custom_js' Page Setting. Authenticated attackers with author-level access can inject arbitrary web scripts that will execute whenever a user accesses the injected page.

CVE-2026-9008
Medium

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 6.2. The pagelist_unqprfx_ext_shortcode() function accepts attacker-controlled attributes, allowing the disclosure of private and draft page content.

CVE-2026-9719
Medium

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.6.0. This is due to missing or incorrect nonce validation on the change_status function.

CVE-2026-8976
Medium

The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 5.1.7. The issue arises from improper verification of user permissions, allowing attackers with contributor-level access and above to create and execute RSS import jobs and delete associated posts.

CVE-2026-8900
Medium

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Shortcode Attributes in all versions up to and including 1.2.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-8893
Medium

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'type' attribute of the [stripe-express] shortcode in versions up to and including 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value.

CVE-2026-8608
Medium

The Event Monster plugin for managing events in WordPress is vulnerable to insufficient verification of data authenticity in versions up to 2.1.0. The issue arises from the AJAX handler capture_payment() trusting client-supplied payment data without server-side verification.

CVE-2026-7047
Medium

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function.

CVE-2026-6448
Medium

The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to and including 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-10038
Medium

The Charitable – Donation Plugin for WordPress is vulnerable to Insecure Direct Object Reference, leading to arbitrary attachment deletion. This issue affects versions up to 1.8.11.1 and is due to a lack of validation of the attachment owner during the profile avatar update.

CVE-2026-7523
Medium

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 2.1.3. This is due to improper verification of user permissions, allowing attackers with subscriber-level access and above to access private alba_card post data.

CVE-2026-45409
Medium

Python versions prior to 3.15 have an issue with the `idna.encode()` function that can be exploited to perform a denial-of-service attack by processing specially crafted arguments. High values of N in payloads can lead to long processing times.

CVE-2026-46401
Medium

HAX CMS, used for managing microsites with PHP or NodeJs backends, has an improper session termination vulnerability in versions prior to 26.0.0. Authentication tokens remain valid after user logout, allowing attackers to maintain persistent access to CMS functionality.

CVE-2026-46397
Medium

HAX CMS prior to version 26.0.0 contains an Authenticated Local File Inclusion (LFI) vulnerability in the saveOutline endpoint, allowing a low-privileged user to read arbitrary files on the server. This vulnerability can be exploited by attackers to exfiltrate sensitive system files.

CVE-2026-46357
Medium

HAX CMS is a microsite management system with PHP or NodeJS backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint.

CVE-2026-45778
Medium

OpenXDMoD prior to version 11.0.3 has a vulnerability that allows an authenticated attacker to inject malicious JavaScript into the user profile. By abusing the password reset functionality, the attacker can send a link to a malicious HTML page, potentially leading to account takeover.

CVE-2026-45776
Medium

In OpenXDMoD prior to version 11.0.3, a flaw in access control logic allows an attacker to submit a crafted HTTPS POST request, enabling them to bypass data access restrictions. This vulnerability affects installations that include the optional Job Performance (SUPReMM) module.

PreviousPage 165 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS