CVE-2026-57641
Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions.
直近表示から外れた情報を確認できます。診断結果とは別情報として扱います。
Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions.
Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions.
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Abandoned Cart Lite for WooCommerce <= 6.8.0 versions.
Contributor SQL Injection in wpForo Forum <= 3.0.9 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions.
Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions.
Administrator SQL Injection in Popup box <= 6.0.1 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions.
Administrator SQL Injection in WP All Import <= 4.0.1 versions.
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
Author Cross Site Scripting (XSS) in Featured Image <= 2.1 versions.
Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions.
Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions.
Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions.
Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.
Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions.
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions.
Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions.
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords.
Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions.
Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions.
Unauthenticated Arbitrary File Deletion in ShortPixel Adaptive Images <= 3.11.4 versions.
Subscriber SQL Injection in Tourfic <= 2.22.5 versions.
Unauthenticated Broken Access Control in MailChimp Block <= 1.1.15 versions.
Unauthenticated SQL Injection in Quotes llama <= 3.1.5 versions.
Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.
Unauthenticated Sensitive Data Exposure in Print Invoice & Delivery Notes for WooCommerce <= 7.1.1 versions.
Subscriber Arbitrary File Upload in Travel Booking <= 2.2.5 versions.
Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions.
Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.
Subscriber PHP Object Injection in RealHomes <= 4.5.3 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.