CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. This allows an attacker to inject malicious JavaScript code without requiring authentication.
Real Estate 7 plugin version 3.5.9 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The ShortPixel Adaptive Images plugin version 3.11.3 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. This allows a subscriber-level user to inject malicious JavaScript code into the page.
The Themify Popup WordPress plugin contains a deserialization of untrusted data vulnerability allowing object injection. This issue affects all versions up to and including 1.4.3.
The Tax Exempt for WooCommerce plugin version 1.9.3 and earlier contains a Customer Path Traversal vulnerability that allows unauthorized access to files outside the root directory.
The Audrey plugin version 1.5 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without authentication.
The NOWPayments for WooCommerce plugin version 1.4.0 and earlier contains an unauthenticated Broken Access Control vulnerability. An attacker without authentication can gain unauthorized access to functions or data.
The Five Star Business Profile and Schema WordPress plugin version 2.3.19 and earlier contains an editor arbitrary code execution vulnerability. An attacker can exploit this flaw to gain full control over the website.
The Motors plugin versions up to 5.6.80 contain an unauthenticated broken access control vulnerability. An attacker without authentication can bypass security measures and gain unauthorized access to functions or data.
TheFox plugin versions up to 3.9.76 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can inject malicious script without authentication.
The Automotive Car Dealership Business plugin versions up to 13.3.3 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject malicious script without authentication.
The Automotive Listings plugin version 18.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject a malicious script without requiring authentication.
The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.
The Werkstatt plugin for WordPress versions 4.8.3 and earlier contains a PHP Object Injection vulnerability via the contributor mechanism. This allows an attacker to inject malicious objects, potentially leading to remote code execution.
The Pearl - Corporate Business plugin version 3.4.10 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without requiring authentication.
The NativeChurch plugin versions up to 4.8.8.2 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in LMS version 9.7 and earlier. It allows a remote attacker to inject malicious scripts without authentication.
The Kids Life | Children School WordPress plugin version 5.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The ARMember Premium plugin version 7.0 and earlier contains a PHP Object Injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject a malicious PHP object, potentially leading to remote code execution.
u5CMS through v12.8.8 is vulnerable to reflected XSS via the 'thanks' parameter in multiple form components.

