Sync EUVD catalog: Thu Apr 9 00:31:20 UTC 2026

Signed-off-by: AboutCode Automation <automation@aboutcode.org>

Author: aboutcode-automation

advisories/2026/04/EUVD-2023-51106.json

@@ -0,0 +1,29 @@
+{
+  "id": "EUVD-2023-51106",
+  "enisaUuid": "b209b870-a774-33cb-8b2f-ad3e6bc6f989",
+  "description": "QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request",
+  "datePublished": "Apr 8, 2026, 6:34:06 PM",
+  "dateUpdated": "Apr 8, 2026, 6:34:06 PM",
+  "baseScore": -1.0,
+  "references": "https://qd-today.github.io/qd/\nhttps://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46945\n",
+  "aliases": "GHSA-hgwj-xq97-2fmr\nCVE-2023-46945\n",
+  "assigner": "mitre",
+  "epss": 0.0,
+  "enisaIdProduct": [
+    {
+      "id": "2818840a-3d2f-3852-a07f-884b9029e8f3",
+      "product": {
+        "name": "n/a"
+      },
+      "product_version": "n/a"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "70b2f683-002a-332f-aabd-f95b9ecf8df2",
+      "vendor": {
+        "name": "n/a"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-27739.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-27739",
+  "enisaUuid": "55eecc65-06b2-3635-ae3e-e822b3cc76db",
+  "description": "The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected posts.",
+  "datePublished": "Apr 8, 2026, 9:32:50 PM",
+  "dateUpdated": "Apr 8, 2026, 9:32:50 PM",
+  "baseScore": 5.3,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f62a9ca0-7077-410f-b005-175348acd133?source=cve\nhttps://wordpress.org/plugins/seo-simple-pack/\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2795\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3109539%40seo-simple-pack&new=3109539%40seo-simple-pack&sfp_email=&sfph_mail=\n",
+  "aliases": "GHSA-3rj4-4gjq-qmjg\nCVE-2024-2795\n",
+  "assigner": "Wordfence",
+  "epss": 0.64,
+  "enisaIdProduct": [
+    {
+      "id": "9347b80f-cfe1-3012-a0c4-4004c0d69546",
+      "product": {
+        "name": "SEO SIMPLE PACK"
+      },
+      "product_version": "* \u22643.2.1"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "2da1a49b-d055-3cd3-90f2-25e288478503",
+      "vendor": {
+        "name": "looswebstudio"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33396.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33396",
+  "enisaUuid": "31f5025b-3dac-3f85-80b8-b3c05e61a4d8",
+  "description": "The Premium Packages \u2013 Sell Digital Products Securely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdmpp_pay_link shortcode in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 6.4,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c1758fc-5b0b-4071-b31b-1d72e34cc924?source=cve\nhttps://wordpress.org/plugins/wpdm-premium-packages/#developers\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10164\nhttps://plugins.trac.wordpress.org/changeset/3193172/wpdm-premium-packages/trunk/includes/libs/ShortCodes.php\n",
+  "aliases": "GHSA-6w97-w84p-j99h\nCVE-2024-10164\n",
+  "assigner": "Wordfence",
+  "epss": 0.14,
+  "enisaIdProduct": [
+    {
+      "id": "b704d954-2233-3f7c-8c81-ff0451705643",
+      "product": {
+        "name": "Premium Packages \u2013 Sell Digital Products Securely"
+      },
+      "product_version": "* \u22645.9.3"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "ef3e1c36-cfc4-361c-86b1-13152c12f1b5",
+      "vendor": {
+        "name": "codename065"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33399.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33399",
+  "enisaUuid": "f2ebe42d-f8ea-3453-a3b0-0b5b80148c16",
+  "description": "The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "datePublished": "Apr 8, 2026, 9:32:56 PM",
+  "dateUpdated": "Apr 8, 2026, 9:32:56 PM",
+  "baseScore": 6.4,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2a6d017-93e4-40c6-a7d1-07e00faecf36?source=cve\nhttps://wordpress.org/plugins/beds24-online-booking/#developers\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10177\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3193719%40beds24-online-booking&new=3193719%40beds24-online-booking&sfp_email=&sfph_mail=\nhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197034%40beds24-online-booking&new=3197034%40beds24-online-booking&sfp_email=&sfph_mail=\n",
+  "aliases": "CVE-2024-10177\nGHSA-969f-hj45-g74f\n",
+  "assigner": "Wordfence",
+  "epss": 0.08,
+  "enisaIdProduct": [
+    {
+      "id": "eb271292-ee2d-3c6e-8658-449cb738eea9",
+      "product": {
+        "name": "Beds24 Online Booking"
+      },
+      "product_version": "* \u22642.0.26"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "dc93341e-b7e0-38bf-9a90-d10929763ef5",
+      "vendor": {
+        "name": "markkinchin"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33430.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33430",
+  "enisaUuid": "0d92bfd6-2316-3ee1-8e4d-50732cb218d9",
+  "description": "The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.5.76. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 6.1,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/664f43a6-6461-42ce-a3e4-2277c01a0efb?source=cve\nhttps://plugins.trac.wordpress.org/browser/co-marquage-service-public/tags/0.5.76/includes/admin/notices.class.php#L37\nhttps://wordpress.org/plugins/co-marquage-service-public/#developers\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10522\nhttps://plugins.trac.wordpress.org/changeset/3192977/co-marquage-service-public/trunk/includes/admin/notices.class.php\n",
+  "aliases": "GHSA-xmv6-8wrq-cvg7\nCVE-2024-10522\n",
+  "assigner": "Wordfence",
+  "epss": 0.71,
+  "enisaIdProduct": [
+    {
+      "id": "1702a356-e9c7-3eee-9471-528bec62d9dc",
+      "product": {
+        "name": "Co-marquage service-public.fr"
+      },
+      "product_version": "* \u22640.5.76"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "b731d917-1fcf-361e-9b52-38d1d1ff8570",
+      "vendor": {
+        "name": "seb-emendo"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33433.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33433",
+  "enisaUuid": "871d9a82-44ed-397e-9001-c6966ae25f03",
+  "description": "The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to import demo data.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 4.3,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ad5d2b2-fca8-46bb-8a03-02be07f2a800?source=cve\nhttps://plugins.trac.wordpress.org/browser/bard-extra/trunk/bard-extra.php#L341\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10532\nhttps://plugins.trac.wordpress.org/changeset/3192923/bard-extra/trunk?contextall=1&old=3048156&old_path=%2Fbard-extra%2Ftrunk\n",
+  "aliases": "GHSA-rfxm-24fw-w8gg\nCVE-2024-10532\n",
+  "assigner": "Wordfence",
+  "epss": 0.07,
+  "enisaIdProduct": [
+    {
+      "id": "98de1e83-4949-3a86-98b2-d77d4c7838ac",
+      "product": {
+        "name": "Bard Extra"
+      },
+      "product_version": "* \u22641.2.7"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "99b78f84-5ed6-3288-ba24-cc7e58485fd8",
+      "vendor": {
+        "name": "wproyal"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33448.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33448",
+  "enisaUuid": "02648523-fd54-3d15-9eb3-9b0d2f576dbf",
+  "description": "The Announcement & Notification Banner \u2013 Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg and remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 6.1,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08033270-5547-437b-95e6-e004b78df5e4?source=cve\nhttps://plugins.trac.wordpress.org/browser/bulletin-announcements/tags/3.11.5/classes/class-bulletinwp-bulletins-table.php#L145\nhttps://plugins.trac.wordpress.org/browser/bulletin-announcements/tags/3.11.5/classes/class-bulletinwp-bulletins-table.php#L148\nhttps://plugins.trac.wordpress.org/browser/bulletin-announcements/tags/3.11.5/classes/class-bulletinwp-bulletins-table.php#L152\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10682\nhttps://plugins.trac.wordpress.org/changeset/3193763/bulletin-announcements/trunk/classes/class-bulletinwp-bulletins-table.php\n",
+  "aliases": "CVE-2024-10682\nGHSA-rj34-2hv8-gxfq\n",
+  "assigner": "Wordfence",
+  "epss": 1.03,
+  "enisaIdProduct": [
+    {
+      "id": "1e007d33-ffca-378e-b805-17765bb0c55a",
+      "product": {
+        "name": "Announcement & Notification Banner \u2013 Bulletin"
+      },
+      "product_version": "* \u22643.11.7"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "673f994c-f5ef-31bd-8031-d3d17540bd6d",
+      "vendor": {
+        "name": "mikewire_rocksolid"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33452.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33452",
+  "enisaUuid": "ee83674d-5de7-3545-9040-b093d7994700",
+  "description": "The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 6.1,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/305f2f13-178d-4b49-b59b-abb35d111299?source=cve\nhttps://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.4/ffw_function_settings.php#L57\nhttps://wordpress.org/plugins/friendly-functions-for-welcart/#developers\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10726\nhttps://plugins.trac.wordpress.org/changeset/3194674/friendly-functions-for-welcart/trunk/ffw_function_settings.php\n",
+  "aliases": "GHSA-7vw6-4466-499g\nCVE-2024-10726\n",
+  "assigner": "Wordfence",
+  "epss": 0.26,
+  "enisaIdProduct": [
+    {
+      "id": "4cd54f8f-ef7f-3cd7-a756-d3cb6fa304c8",
+      "product": {
+        "name": "Friendly Functions for Welcart"
+      },
+      "product_version": "* \u22641.2.4"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "a6aa6493-ba3f-32c5-9ac0-458e4db467e3",
+      "vendor": {
+        "name": "mainichiweb"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33803.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33803",
+  "enisaUuid": "9531e420-190b-36e4-abfb-4441cceb571f",
+  "description": "The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
+  "datePublished": "Apr 8, 2026, 9:32:56 PM",
+  "dateUpdated": "Apr 8, 2026, 9:32:56 PM",
+  "baseScore": 6.1,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc949922-7bfa-4704-9038-cf4b5262f864?source=cve\nhttps://plugins.trac.wordpress.org/browser/wip-incoming-lite/trunk/core/includes/class-panel.php#L173\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11416\nhttps://plugins.trac.wordpress.org/changeset/3196396/wip-incoming-lite/trunk/core/includes/class-panel.php?contextall=1\n",
+  "aliases": "CVE-2024-11416\nGHSA-xmjc-5pgp-5pjx\n",
+  "assigner": "Wordfence",
+  "epss": 0.13,
+  "enisaIdProduct": [
+    {
+      "id": "61edbe3e-4743-39a2-b924-86bd7b7ba417",
+      "product": {
+        "name": "WIP Incoming Lite"
+      },
+      "product_version": "* \u22641.1.1"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "f3414f69-f4cd-3008-b4f7-ef92eb927970",
+      "vendor": {
+        "name": "alexvtn"
+      }
+    }
+  ]
+}

advisories/2026/04/EUVD-2024-33808.json

@@ -0,0 +1,31 @@
+{
+  "id": "EUVD-2024-33808",
+  "enisaUuid": "d4d4c3b0-ead6-3f95-818e-a7facfd39da8",
+  "description": "The SuevaFree Essential Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'counter' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "datePublished": "Apr 8, 2026, 6:33:40 PM",
+  "dateUpdated": "Apr 8, 2026, 6:33:40 PM",
+  "baseScore": 6.4,
+  "baseScoreVersion": "3.1",
+  "baseScoreVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
+  "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c55e673-93af-403e-a690-2ae02c63541f?source=cve\nhttps://plugins.trac.wordpress.org/browser/suevafree-essential-kit/trunk/core/shortcodes/counter.php\nhttps://wordpress.org/plugins/suevafree-essential-kit/\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-11432\nhttps://plugins.trac.wordpress.org/changeset/3193152/suevafree-essential-kit/trunk/core/shortcodes/counter.php\n",
+  "aliases": "GHSA-qwh9-3w37-r5hc\nCVE-2024-11432\n",
+  "assigner": "Wordfence",
+  "epss": 8.02,
+  "enisaIdProduct": [
+    {
+      "id": "3c82bd1b-777b-37fd-a0cd-60385be0d332",
+      "product": {
+        "name": "SuevaFree Essential Kit"
+      },
+      "product_version": "* \u22641.1.3"
+    }
+  ],
+  "enisaIdVendor": [
+    {
+      "id": "052f38d2-adb1-3dbc-8ab3-292e638265db",
+      "vendor": {
+        "name": "alexvtn"
+      }
+    }
+  ]
+}