CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.16)
Unauthenticated Cross Site Request Forgery (CSRF) vulnerability in Abandoned Cart Lite for WooCommerce versions up to 6.8.0. An attacker can trick an administrator into performing unintended actions without their knowledge.
The wpForo Forum plugin version 3.0.9 and earlier contains a SQL injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject malicious SQL queries, potentially leading to unauthorized database access.
The FunnelKit Payment Gateway for Stripe WooCommerce plugin version 1.14.0.3 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of a logged-in WooCommerce store administrator.
The PPWP plugin version 1.9.19 and earlier contains an Insecure Direct Object References (IDOR) vulnerability in the contributor functionality. This allows unauthorized access to private data.
The WCBoost – Products Compare plugin in versions 1.1.0 and below allows unauthenticated users to access sensitive data. This vulnerability stems from a lack of proper security on API endpoints or pages that display confidential information.
The Email Marketing for WooCommerce by Omnisend plugin in versions 1.19.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to administrative functions.
SQL Injection vulnerability in Popup box versions up to 6.0.1 allows an administrator to inject malicious SQL code. An attacker with admin privileges can manipulate database queries.
The Blocksy Companion Pro plugin version 2.1.46 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access resources that should be protected without authentication.
The StatCounter plugin version 2.1.1 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.
SQL Injection vulnerability in WP All Import plugin versions up to 4.0.1 allows an administrator to inject malicious SQL code into the database.
Server Side Request Forgery (SSRF) vulnerability in Kirki plugin versions up to 6.0.11 allows a subscriber to send HTTP requests from the server to internal network resources.
The WPCafe plugin in version 3.0.14 and earlier contains a vulnerability of broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for administrators.
Cross Site Scripting (XSS) vulnerability in Neve PRO versions up to 3.1.2 inclusive. The flaw allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.
The SeedProd Pro plugin versions prior to 6.19.5 contain a Cross Site Scripting (XSS) vulnerability in the contributor function. It allows an attacker to inject malicious JavaScript code into pages generated by the plugin.
The ViewState add-on for Zed Attack Proxy (ZAP) before version 4 contains an insecure deserialization vulnerability that allows attackers controlling a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
The Featured Image plugin for WordPress version 2.1 and earlier contains a Cross-Site Scripting (XSS) vulnerability in the author function. This allows an unauthenticated attacker to inject malicious JavaScript code.
The SEOPress PRO plugin version 9.1.1 and earlier contains a vulnerability related to broken access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be restricted.
The vulnerability allows an unauthenticated attacker to inject malicious script (XSS) in NanoMag version 1.8 and earlier. The attack can be performed without authentication, increasing the risk for users.
The vulnerability in the GIFT4U plugin versions up to 1.0.10 allows unauthenticated attackers to bypass access controls. This can lead to unauthorized access to functions or data.
The Flash & HTML5 Video plugin version 2.11.0 and earlier contains an unauthenticated broken access control vulnerability. An attacker can gain unauthorized access to functions or data without required authentication.

