CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-55745
Medium

Cotonti version 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. The folder update action ('a=update') does not validate the anti-CSRF token, allowing for modification of folder metadata through a forged request.

CVE-2026-28573
Medium

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed.

CVE-2026-12137
Medium

The SysBasics Customize My Account plugin for WooCommerce is vulnerable to reflected Cross-Site Scripting via the 'tab' parameter in all versions up to and including 4.3.6 due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts, requiring the victim to be logged in with at least Shop Manager-level access.

CVE-2026-12136
Medium

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'sysbasics_user_avatar' shortcode in versions up to and including 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes.

CVE-2026-12111
Medium

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function.

CVE-2026-12098
Medium

The PowerPress Podcasting plugin by Blubrry for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'embed' Episode Meta Field. This issue exists in all versions up to and including 11.16.8 due to insufficient input sanitization and output escaping.

CVE-2026-9199
Medium

The Equalize Digital Accessibility Checker plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.42.1. The issue arises from improper verification of user permissions, allowing attackers with author-level access and above to manipulate accessibility issue records.

CVE-2026-12120
Medium

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 3.1.7 via the 'form_id' parameter. This allows unauthenticated attackers to download a full CSV export of all form submissions, including any personally identifiable information submitted by users.

CVE-2026-12093
Medium

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action, allowing unauthenticated attackers to deactivate member accounts.

CVE-2026-11784
Medium

The Optimole plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 4.2.6. The issue arises from missing or incorrect nonce validation in the replace_file function, allowing unauthenticated attackers to overwrite existing media attachments.

CVE-2026-11777
Medium

The Form Maker by 10Web, a plugin for creating contact forms in WordPress, is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to and including 1.15.43. This is due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-11776
Medium

The Form Maker by 10Web, a plugin for creating contact forms in WordPress, is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to and including 1.15.43. This issue arises from insufficient escaping of the user-supplied parameter and lack of proper preparation of the existing SQL query.

CVE-2026-11402
Medium

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'link' Block Attribute. This issue affects all versions up to and including 1.4.4 due to insufficient input sanitization and output escaping.

CVE-2026-11360
Medium

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all versions up to and including 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-11358
Medium

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via admin settings in all versions up to and including 3.0.6 due to insufficient input sanitization and output escaping.

CVE-2026-11357
Medium

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 3.7.5. This allows authenticated attackers with contributor-level access and above to extract the site's connected Kadence account license key, license owner email, and other sensitive data from the browser console.

CVE-2026-10736
Medium

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to and including 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-10623
Medium

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.3.0 due to missing validation on the 'rule_id' parameter. This allows authenticated attackers with custom-level access and above to modify or delete quiz rules belonging to other teachers.

CVE-2026-10029
Medium

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.3.13.1. This allows unauthenticated attackers to extract sensitive data such as virtual meeting URLs and location data.

CVE-2026-10023
Medium

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin is vulnerable to Insecure Direct Object Reference in all versions up to 5.0.3. The lack of ownership validation on the order ID key allows authenticated attackers to modify order statuses and add, delete, and modify order notes.

PreviousPage 88 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS