CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-12657
Medium

The LatePoint plugin for WordPress up to version 5.6.2 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'service_id' parameter. Missing validation allows unauthenticated attackers to create approved bookings for admin/agent-only services, consuming restricted capacity.

CVE-2026-12472
Medium

The Kirki plugin for WordPress up to version 6.0.11 has an authorization bypass vulnerability. An unauthenticated attacker can send arbitrary HTML-injected emails, including phishing messages with a real password reset link, using the site's mail server and its SPF/DKIM reputation.

CVE-2026-12134
Medium

The JoomSport plugin for WordPress up to version 5.7.8 contains an authorization bypass vulnerability. It allows authenticated attackers with subscriber-level access or higher to create arbitrary season groups and modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages rendering a JoomSport shortcode.

CVE-2026-12122
Medium

The Kirki plugin for WordPress up to version 6.0.11 is vulnerable to sensitive information exposure via the get_single_symbol function. Unauthenticated attackers can extract full builder metadata and rendered HTML of any kirki_symbol post, including unpublished drafts, by supplying a sequential WordPress post ID.

CVE-2026-11896
Medium

The My Calendar – Accessible Event Manager plugin for WordPress up to version 3.7.14 inclusive contains an Insecure Direct Object Reference (IDOR) vulnerability via the 'vcal' parameter. Missing validation on a user-controlled key allows unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events.

CVE-2026-10104
Medium

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_thumbnail parameter in all versions up to and including 1.5.1.8 due to insufficient input sanitization and output escaping.

CVE-2026-9563
High

In Eclipse Parsson before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications parsing attacker-controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, leading to a denial of service.

CVE-2026-8147
High

In MLflow versions prior to 3.14.0, when authentication is enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation.

CVE-2026-33592
High

An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size, allowing an arbitrarily large string (up to ~3.9 GB) to be declared and delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out.

CVE-2026-5821
High

The Image Optimizer plugin for WordPress versions up to 1.7.4 is vulnerable to arbitrary file deletion due to insufficient path validation in the Image_Backup::remove() function. Backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. An authenticated attacker with Author-level access can inject arbitrary absolute file paths into the backups array via the Custom Fields interface, leading to file deletion when the attachment is deleted.

CVE-2026-5348
Medium

The Academy LMS WordPress plugin up to version 3.8.1 is vulnerable to Insecure Direct Object Reference (IDOR) in the '/topics' REST API endpoint. Lack of permission checks allows unauthenticated attackers to access detailed course data, including private, draft, scheduled, or password-protected courses.

CVE-2026-14249
High

The Request a Quote plugin for WordPress up to version 2.5.5 is vulnerable to Code Injection via the emd_delete_file AJAX action. An unauthenticated attacker can invoke arbitrary zero-argument PHP functions, such as phpinfo(), by manipulating the $_POST['path'] parameter.

CVE-2026-13704
Medium

The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in versions up to and including 4.16.1 due to insufficient input sanitization and output escaping.

CVE-2026-13357
Medium

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to and including 2.5.46. This is due to insufficient escaping and lack of proper SQL query preparation in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table and Houzez_Property_Feed_Admin_Logs_Import_Table classes.

CVE-2026-11965
Medium

The User Registration & Membership WordPress plugin before version 5.2.0 does not enforce payment completion before activating a paid membership subscription. This allows unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

CVE-2026-11781
Low

The Adminify WordPress plugin before version 4.2.10 fails to perform per-user read-capability checks in one of its administration search features, allowing low-privilege users (Contributor) to disclose non-public content such as other authors' unpublished post titles, pending comment content, plugin inventory, and user account names.

CVE-2026-11600
Medium

The Envo's Templates & Widgets for Elementor and WooCommerce plugin up to version 1.4.26 lacks authorization in the Envo Tabs widget, allowing authenticated attackers with Author-level access to disclose private Elementor content. By supplying a private template ID in the widget, an attacker can make that content visible to anonymous visitors.

CVE-2026-11592
Medium

The Email Subscribers & Newsletters plugin for WordPress up to version 5.9.27 is vulnerable to authorization bypass. Authenticated attackers with contributor-level access or higher can overwrite mail settings, create audience lists, insert contacts, create and overwrite newsletters, add workflows, and send mass emails to arbitrary recipients.

CVE-2026-11578
Low

The Fluent Forms WordPress plugin before version 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage. This allows a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms.

CVE-2026-10089
Medium

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to and including 3.11.4. This is due to insufficient output escaping of the custom field key ($key) in the the_meta() function, while the field value is properly sanitized. Authenticated attackers with author-level access or above can inject arbitrary web scripts that execute when a user views an injected page.

PreviousPage 42 of 4515Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS