CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The Structured Content plugin version 1.7.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. This allows an attacker to inject malicious JavaScript code into the page.
The Simple URLs plugin for WordPress version 151 and earlier contains a Stored Cross Site Scripting (XSS) vulnerability. An author can inject a malicious script that will be executed in the browser of an administrator or other user.
The SEOWP plugin version 3.12.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions without their knowledge.
The Sendcloud Shipping plugin for WordPress has a missing authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. This issue affects versions from n/a through 1.0.29.
The ProfileGrid plugin version 5.9.9.7 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The Permalink Manager for WooCommerce plugin version 1.0.8.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The pCloud WP Backup plugin version 2.0.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions in the WordPress admin panel.
The nicen-localize-image plugin version 1.4.9 and earlier contains a SQL injection vulnerability in the Contributor component. This allows an attacker to manipulate database queries.
The Mosaic Gallery – Advanced Gallery plugin version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.
The Livemesh Addons for WPBakery Page Builder plugin version 3.9.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor functionality. This allows an attacker to inject malicious JavaScript code into the page.
The Kit (formerly ConvertKit) plugin for WooCommerce versions 2.1.5 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability stems from a lack of proper access controls on data stored by the plugin.
SQL Injection vulnerability in the Contributor component of iNET Webkit 1.2.4 allows an attacker to inject malicious SQL code into database queries.
The Heateor Social Login plugin version 1.1.39 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.
The ez Form Calculator Premium plugin version 2.14.1.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to functions or data without required authentication.
The SportsPress Pro plugin version 2.7.29 and earlier contains a Contributor Local File Inclusion (LFI) vulnerability. This allows an attacker with contributor privileges to read sensitive files on the server.
The Shopify plugin version 1.0.0 and earlier contains a Local File Inclusion (LFI) vulnerability via the Contributor function. This allows an attacker to read sensitive files on the server.
An unauthenticated Cross Site Request Forgery (CSRF) vulnerability exists in Booked version 3.0.0 and earlier. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.
The Booked plugin version 3.0.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A subscriber can gain unauthorized access to functions intended for higher roles.
The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data that should be restricted.
The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for subscribers. This allows unauthorized users with the subscriber role to access functions or data they should not have permissions for.

