CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The Automotive Listings plugin version 18.6 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. It allows an attacker to inject a malicious script without requiring authentication.
The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.
The Werkstatt plugin for WordPress versions 4.8.3 and earlier contains a PHP Object Injection vulnerability via the contributor mechanism. This allows an attacker to inject malicious objects, potentially leading to remote code execution.
The Pearl - Corporate Business plugin version 3.4.10 and earlier contains an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can remotely read arbitrary files on the server without requiring authentication.
The NativeChurch plugin versions up to 4.8.8.2 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in LMS version 9.7 and earlier. It allows a remote attacker to inject malicious scripts without authentication.
The Kids Life | Children School WordPress plugin version 5.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The ARMember Premium plugin version 7.0 and earlier contains a PHP Object Injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject a malicious PHP object, potentially leading to remote code execution.
u5CMS through v12.8.8 is vulnerable to reflected XSS via the 'thanks' parameter in multiple form components.
An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length, allowing an arbitrarily large string (up to ~4.09 GB) to be declared and delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Kids Zone - Children WordPress theme version 5.4 and earlier. It allows a remote attacker to inject malicious JavaScript code without requiring authentication.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the Fitness Zone WordPress Theme version 5.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.
An unauthenticated Cross Site Scripting (XSS) vulnerability exists in the SpaLab Beauty Salon WordPress Theme version 6.7 and earlier. It allows a remote attacker to inject malicious JavaScript code without authentication.
The Trendy Travel plugin version 6.7 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.
The Artale | Wedding Photography WordPress plugin version 2.2.2 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The OpenAI Chatbot for WordPress – Helper plugin version 1.1.4 and earlier contains a vulnerability allowing unauthenticated attackers to delete arbitrary content. The flaw is due to missing authorization and input validation.
The Tourmaster plugin version 5.4.5 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by a subscriber. An authenticated user with the subscriber role can read arbitrary files on the server.
The Corpkit plugin version 1.0.5 and earlier allows exposure of sensitive subscriber data. This vulnerability enables unauthorized users to access confidential information.
The Unicamp plugin version 2.2.2 and earlier contains a SQL injection vulnerability exploitable by subscribers. An attacker with subscriber privileges can inject malicious SQL queries, potentially leading to unauthorized database access.
The Woostify Sites Library plugin version 1.6.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to template library functions.

