CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
The 24liveblog plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the update_lb24_token() AJAX function. Attackers with author-level access can overwrite user meta values and site-wide options of the plugin.
The 24liveblog plugin for WordPress up to version 2.2 exposes sensitive 24liveblog account credentials (API token, refresh token, user ID, and username) to any authenticated user with contributor-level access or higher. This occurs because the lb24_block_enqueue_scripts() function emits these secrets via wp_localize_script() as the lb24BlockData JavaScript object when loading the block editor.
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter and lack of proper preparation on the existing SQL query.
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.8. The plugin registers the REST route wp/v3/user/list/<id> with permission_callback set to '__return_true', allowing access to sensitive information without proper authorization.
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, resulting in no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint.
The Devs Accounting plugin for WordPress up to version 1.2.0 contains a vulnerability allowing unauthorized data deletion. Missing capability check in the delete_single_account() function and lack of permission_callback in the REST route registration allow unauthenticated attackers to delete arbitrary accounting account records via a simple GET request.
The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5. This is due to missing or incorrect nonce validation on a function.
The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function.
The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'avalon23_qr' shortcode in versions up to 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes.
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to and including 3.4.2. Although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out, allowing the vulnerability to be exploited.
The RentMy Real-Time Rental Management Plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action.
The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action.
The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF parameter in all versions up to and including 1.1.2 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts if they can trick a user into performing an action such as clicking on a link.
The Image Sizes on Demand plugin for WordPress up to version 1.3 is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable. This is due to insufficient input sanitization and output escaping.
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to and including 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions.
The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This allows authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option.
The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action.
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. The issue arises from broken nonce validation in the enter_mpclp_login_options() function, allowing unauthorized attackers to modify plugin settings.
The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. The missing capability check in the nc_setOption() function allows authenticated attackers with Subscriber-level access and above to update arbitrary WordPress options via XML-RPC requests.
ACE vulnerability in logback-core up to version 1.5.36 allows arbitrary code execution by bypassing protections for CVE-2025-11226. The attack requires Janino library on the classpath and write access to a configuration file or injection of an environment variable.

