CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57750
Medium

The ez Form Calculator Premium plugin version 2.14.1.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to functions or data without required authentication.

CVE-2026-57747
Medium

An unauthenticated Cross Site Request Forgery (CSRF) vulnerability exists in Booked version 3.0.0 and earlier. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.

CVE-2026-57731
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for contributors. A user with the contributor role can gain unauthorized access to functions or data that should be restricted.

CVE-2026-57730
Medium

The Flatsome plugin version 3.20.5 and earlier contains a broken access control vulnerability for subscribers. This allows unauthorized users with the subscriber role to access functions or data they should not have permissions for.

CVE-2026-57690
Medium

The Werkstatt plugin version 4.7.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.

CVE-2026-57689
Medium

The Werkstatt plugin in versions 4.7.2 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to gain unauthorized access to functions or data.

CVE-2026-57685
Medium

The Martfury - WooCommerce Marketplace WordPress theme version 3.2.8 and earlier contains a broken access control vulnerability for subscribers. It allows users with the subscriber role to gain unauthorized access to functions or data that should be restricted.

CVE-2026-57684
Medium

The TheFox plugin for WordPress versions 3.9.70 and earlier contains a Cross Site Scripting (XSS) vulnerability in the Contributor function. It allows an attacker to inject malicious JavaScript code into the page.

CVE-2026-57681
Medium

The GeoDirectory plugin version 2.8.161 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability exploitable by subscribers. This allows an attacker with subscriber privileges to send HTTP requests to internal server resources.

CVE-2026-57680
Medium

The Kirki plugin version 6.0.11 and earlier contains an unauthenticated Insecure Direct Object References (IDOR) vulnerability. This allows an attacker to access protected resources or data without authentication.

CVE-2026-57669
Medium

The Advanced Contact form 7 DB plugin version 2.0.9 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

CVE-2026-57355
Medium

The Classified Listing plugin for WordPress versions 5.4.2 and earlier contains a broken access control vulnerability exploitable by subscribers. This allows users with the subscriber role to perform unauthorized actions.

CVE-2026-57354
Medium

The JetReviews plugin version 3.0.0.1 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. It allows injection of malicious scripts into the page by a user with the subscriber role.

CVE-2026-57353
Medium

The Link Whisper Premium plugin version 2.9.0 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.

CVE-2026-57352
Medium

The ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce plugin version 2.2.0 and earlier contains a vulnerability allowing an unauthenticated attacker to break the authentication mechanism. This flaw enables bypassing the login process and gaining unauthorized access to administrative functions.

CVE-2026-57347
Medium

The Hotel Booking Lite plugin version 6.0.3 and earlier exposes sensitive subscriber data. This vulnerability allows unauthorized users to access confidential information stored in the system.

CVE-2026-57342
Medium

The ShortPixel Adaptive Images plugin version 3.11.3 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. This allows a subscriber-level user to inject malicious JavaScript code into the page.

CVE-2026-49779
Medium

The Tax Exempt for WooCommerce plugin version 1.9.3 and earlier contains a Customer Path Traversal vulnerability that allows unauthorized access to files outside the root directory.

CVE-2026-27433
Medium

The Motors plugin versions up to 5.6.80 contain an unauthenticated broken access control vulnerability. An attacker without authentication can bypass security measures and gain unauthorized access to functions or data.

CVE-2026-14449
Medium

u5CMS through v12.8.8 is vulnerable to reflected XSS via the 'thanks' parameter in multiple form components.

PreviousPage 6 of 489Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS