CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-9184
Medium

The 24liveblog plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the update_lb24_token() AJAX function. Attackers with author-level access can overwrite user meta values and site-wide options of the plugin.

CVE-2026-9183
Medium

The 24liveblog plugin for WordPress up to version 2.2 exposes sensitive 24liveblog account credentials (API token, refresh token, user ID, and username) to any authenticated user with contributor-level access or higher. This occurs because the lb24_block_enqueue_scripts() function emits these secrets via wp_localize_script() as the lb24BlockData JavaScript object when loading the block editor.

CVE-2026-9179
High

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter and lack of proper preparation on the existing SQL query.

CVE-2026-9178
High

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.8. The plugin registers the REST route wp/v3/user/list/<id> with permission_callback set to '__return_true', allowing access to sensitive information without proper authorization.

CVE-2026-9175
Medium

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, resulting in no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint.

CVE-2026-9172
Medium

The Devs Accounting plugin for WordPress up to version 1.2.0 contains a vulnerability allowing unauthorized data deletion. Missing capability check in the delete_single_account() function and lack of permission_callback in the REST route registration allow unauthenticated attackers to delete arbitrary accounting account records via a simple GET request.

CVE-2026-8905
Medium

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5. This is due to missing or incorrect nonce validation on a function.

CVE-2026-8896
Medium

The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function.

CVE-2026-8865
Medium

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'avalon23_qr' shortcode in versions up to 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes.

CVE-2026-8705
High

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to and including 3.4.2. Although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out, allowing the vulnerability to be exploited.

CVE-2026-8690
Medium

The RentMy Real-Time Rental Management Plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action.

CVE-2026-8688
Medium

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action.

CVE-2026-8628
Medium

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF parameter in all versions up to and including 1.1.2 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts if they can trick a user into performing an action such as clicking on a link.

CVE-2026-8622
Medium

The Image Sizes on Demand plugin for WordPress up to version 1.3 is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable. This is due to insufficient input sanitization and output escaping.

CVE-2026-8617
Medium

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to and including 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() functions.

CVE-2026-8614
Medium

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This allows authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option.

CVE-2026-7617
Medium

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to and including 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action.

CVE-2026-6292
Medium

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. The issue arises from broken nonce validation in the enter_mpclp_login_options() function, allowing unauthorized attackers to modify plugin settings.

CVE-2026-4297
High

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. The missing capability check in the nc_setOption() function allows authenticated attackers with Subscriber-level access and above to update arbitrary WordPress options via XML-RPC requests.

CVE-2026-13006
High

ACE vulnerability in logback-core up to version 1.5.36 allows arbitrary code execution by bypassing protections for CVE-2025-11226. The attack requires Janino library on the classpath and write access to a configuration file or injection of an environment variable.

PreviousPage 224 of 4559Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS