CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-27425
High

The Automotive Listings plugin version 18.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject a malicious script without requiring authentication.

CVE-2026-27419
Critical

The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.

CVE-2026-27414
High

The Werkstatt plugin for WordPress versions 4.8.3 and earlier contains a PHP Object Injection vulnerability via the contributor mechanism. This allows an attacker to inject malicious objects, potentially leading to remote code execution.

CVE-2026-27412
High

The Pearl - Corporate Business plugin version 3.4.10 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without requiring authentication.

CVE-2026-27408
High

The NativeChurch plugin versions up to 4.8.8.2 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-27404
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in LMS version 9.7 and earlier. It allows a remote attacker to inject malicious scripts without authentication.

CVE-2026-27402
High

The Kids Life | Children School WordPress plugin version 5.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-27060
High

The ARMember Premium plugin version 7.0 and earlier contains a PHP Object Injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject a malicious PHP object, potentially leading to remote code execution.

CVE-2026-14449
Medium

u5CMS through v12.8.8 is vulnerable to reflected XSS via the 'thanks' parameter in multiple form components.

CVE-2026-11946
High

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length, allowing an arbitrarily large string (up to ~4.09 GB) to be declared and delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out.

CVE-2025-69156
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Kids Zone - Children WordPress theme version 5.4 and earlier. It allows a remote attacker to inject malicious JavaScript code without requiring authentication.

CVE-2025-69155
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Fitness Zone WordPress Theme version 5.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.

CVE-2025-69154
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the SpaLab Beauty Salon WordPress Theme version 6.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.

CVE-2025-69153
High

The Trendy Travel plugin version 6.7 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2025-69152
High

The Artale | Wedding Photography WordPress plugin version 2.2.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2025-69134
High

The OpenAI Chatbot for WordPress – Helper plugin version 1.1.4 and earlier contains a vulnerability allowing unauthenticated attackers to delete arbitrary content. The flaw is due to missing authorization and input validation.

CVE-2025-69133
High

The Tourmaster plugin version 5.4.5 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by a subscriber. An authenticated user with the subscriber role can read arbitrary files on the server.

CVE-2025-69132
Medium

The Corpkit plugin version 1.0.5 and earlier allows exposure of sensitive subscriber data. This vulnerability enables unauthorized users to access confidential information.

CVE-2025-69094
High

The Unicamp plugin version 2.2.2 and earlier contains a SQL injection vulnerability exploitable by subscribers. An attacker with subscriber privileges can inject malicious SQL queries, potentially leading to unauthorized database access.

CVE-2025-66076
Medium

The Woostify Sites Library plugin version 1.6.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to template library functions.

PreviousPage 56 of 4537Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS