17356 matches found
CVE-2026-58410
ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...
CVE-2026-57771
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through = 3.7...
CVE-2026-57770
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through = 5.7.8...
CVE-2026-57423
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form 7: from n/a through = 1.6.3.8...
CVE-2026-57415
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through = 4.7.0...
CVE-2026-57411
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aman CF7 Views Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views Complete Entry Management for Contact Form 7: from n/a through = 3.2.2...
CVE-2026-57371
Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through = 7.0...
CVE-2026-57810
CVE-2026-57810 describes a SQL injection in the WordPress plugin APIExperts Square for WooCommerce (woosquare), affecting versions up to and including 4.7.4. The vulnerability is characterized as blind SQL injection due to improper neutralization of special elements in SQL queries. The provided d...
CVE-2026-57770
The CVE-2026-57770 entry concerns Deserialization of Untrusted Data in the WordPress Theme Grand Photography plugin/theme. Affected: Grand Photography versions up to 5.7.8. Root cause: PHP object injection arising from untrusted data deserialization. Impact: high confidentiality, integrity, and a...
CVE-2026-57423 WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form 7: from n/a through = 1.6.3.8...
CVE-2026-57415 WordPress Gift Vouchers plugin <= 4.7.0 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Codemenschen Gift Vouchers gift-voucher allows Stored XSS.This issue affects Gift Vouchers: from n/a through = 4.7.0...
CVE-2026-57411 WordPress CF7 Views – Complete Entry Management for Contact Form 7 plugin <= 3.2.2 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aman CF7 Views Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views Complete Entry Management for Contact Form 7: from n/a through = 3.2.2...
CVE-2026-57423
CVE-2026-57423 affects the WordPress plugin Message Filter for Contact Form 7 (cf7-message-filter), specifically versions up to 1.6.3.8. The issue is a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of input during web page generation. Impact is reflected XSS...
CVE-2026-57710
Summary: The WordPress plugin WoowBot Pro Max (woowbot-pro-max) up to version 14.1.7 is affected by an Unrestricted/Arbitrary File Upload vulnerability. The issue allows uploading dangerous files, classified as a Critical risk (CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The affected line is...
CVE-2026-57738
CVE-2026-57738 affects WordPress Theme 777 (axiomthemes) up to version 1.13.0. The issue is a PHP object‑injection via deserialization of untrusted data in the 777 plugin/theme, enabling arbitrary object injection with high impact (CVSS 3.1: 9.8, Network attack, no user interaction). Connected so...
CVE-2026-57411
The CVE-2026-57411 entry concerns the WordPress plugin cf7-views (Aman CF7 Views – Complete Entry Management for Contact Form 7) with a DOM-based XSS vulnerability due to improper neutralization during web page generation. Affected versions are up to 3.2.2. CVSS v3.1 base score is 7.1 (HIGH); att...
CVE-2026-57372 WordPress WPJAM Basic plugin <= 7.0 - Server Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through = 7.0...
CVE-2026-57372
CVE-2026-57372 is a Server-Side Request Forgery (SSRF) vulnerability affecting the WordPress WPJAM Basic plugin (wpjam-basic) versions up to and including 7.0. The CVE entry states the issue is a SSRF in WPJAM Basic, but the provided documents do not specify the underlying code path, affected fun...
CVE-2026-57371
The CVE-2026-57371 entry describes a Deserialization of Untrusted Data vulnerability in the WordPress WPJAM Basic plugin (wpjam-basic), affecting versions up to 7.0. The underlying issue is object injection via deserialization, enabling an attacker to potentially execute unintended actions throug...
CVE-2026-9597 Deactivated guest accounts can authenticate via magic-link token in Mattermost REST API login endpoint
Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...