CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2025-69132
Medium

The Corpkit plugin version 1.0.5 and earlier allows exposure of sensitive subscriber data. This vulnerability enables unauthorized users to access confidential information.

CVE-2025-66076
Medium

The Woostify Sites Library plugin version 1.6.2 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to template library functions.

CVE-2026-54431
Medium

In the liboauth2 library, the DPoP verifier accepts a proof whose jwk header contains private key material. The oauth2_token_verify() function returns success for a malformed DPoP proof embedding a private EC key, violating RFC 9449 requirements.

CVE-2026-54430
Medium

The liboauth2 library is vulnerable to Server-Side Request Forgery (SSRF) in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, the kid value is appended to alb_base_url without URL encoding or path sanitization, and the HTTP GET request is issued before signature verification.

CVE-2026-9188
Medium

The Wappointment plugin for WordPress up to version 2.7.6 contains an Insecure Direct Object Reference (IDOR) vulnerability. The authorization key `edit_key` is generated as a predictable, unsalted MD5 hash of a sequential client ID, a publicly observable timestamp, and a small staff ID, allowing unauthenticated attackers to compute it and cancel or reschedule other users' appointments.

CVE-2026-9145
Medium

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress up to version 1.5.1 contains an arbitrary file copy vulnerability. The create_entry_el() function passes the raw_value from Elementor Pro's Form_Record object directly to PHP's copy() without validation, allowing an attacker to copy any file from the server or from an external URL.

CVE-2026-8482
Medium

A vulnerability was discovered in StormShield Network Security versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5, allowing a possible leak of secret information when administration commands are passed via the CLI tool. An attacker with SSH access to the firewall (if SSH multiuser mode is enabled) could potentially obtain the proxy CA passphrase or TPM password.

CVE-2026-14029
Medium

The Groundhogg plugin for WordPress (versions up to 4.5.8) is vulnerable to SQL injection via the 'select' parameter. An authenticated attacker with custom-level access or higher can append additional SQL queries, enabling extraction of sensitive database information.

CVE-2026-13459
Medium

The JetFormBuilder plugin for WordPress up to version 3.6.3 has an authorization bypass vulnerability, allowing unauthenticated attackers to retrieve any values from post meta, including WooCommerce PII, order totals, attachment paths, and third-party plugin credentials. Exploitation requires at least one published form with a get_from_db generator field.

CVE-2026-13252
Medium

The RSS Aggregator by Feedzy plugin for WordPress up to version 5.2.1 is vulnerable to stored XSS via the 'aspectRatio' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users access affected pages.

CVE-2026-12657
Medium

The LatePoint plugin for WordPress up to version 5.6.2 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'service_id' parameter. Missing validation allows unauthenticated attackers to create approved bookings for admin/agent-only services, consuming restricted capacity.

CVE-2026-12472
Medium

The Kirki plugin for WordPress up to version 6.0.11 has an authorization bypass vulnerability. An unauthenticated attacker can send arbitrary HTML-injected emails, including phishing messages with a real password reset link, using the site's mail server and its SPF/DKIM reputation.

CVE-2026-12134
Medium

The JoomSport plugin for WordPress up to version 5.7.8 contains an authorization bypass vulnerability. It allows authenticated attackers with subscriber-level access or higher to create arbitrary season groups and modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages rendering a JoomSport shortcode.

CVE-2026-12122
Medium

The Kirki plugin for WordPress up to version 6.0.11 is vulnerable to sensitive information exposure via the get_single_symbol function. Unauthenticated attackers can extract full builder metadata and rendered HTML of any kirki_symbol post, including unpublished drafts, by supplying a sequential WordPress post ID.

CVE-2026-11896
Medium

The My Calendar – Accessible Event Manager plugin for WordPress up to version 3.7.14 inclusive contains an Insecure Direct Object Reference (IDOR) vulnerability via the 'vcal' parameter. Missing validation on a user-controlled key allows unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events.

CVE-2026-10104
Medium

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_thumbnail parameter in all versions up to and including 1.5.1.8 due to insufficient input sanitization and output escaping.

CVE-2026-5348
Medium

The Academy LMS WordPress plugin up to version 3.8.1 is vulnerable to Insecure Direct Object Reference (IDOR) in the '/topics' REST API endpoint. Lack of permission checks allows unauthenticated attackers to access detailed course data, including private, draft, scheduled, or password-protected courses.

CVE-2026-13704
Medium

The GiveWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in versions up to and including 4.16.1 due to insufficient input sanitization and output escaping.

CVE-2026-13357
Medium

The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to and including 2.5.46. This is due to insufficient escaping and lack of proper SQL query preparation in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table and Houzez_Property_Feed_Admin_Logs_Import_Table classes.

CVE-2026-11965
Medium

The User Registration & Membership WordPress plugin before version 5.2.0 does not enforce payment completion before activating a paid membership subscription. This allows unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

PreviousPage 7 of 489Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS