8783 matches found
CVE-2025-14873 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'callbyroutename' function in the routing layer only validating user capabilities without enforcing...
CVE-2025-14873
The CVE-2025-14873 CSRF vulnerability exists in LatePoint for WordPress (up to version 5.2.5). It arises because call_by_route_name does not enforce nonce verification, allowing unauthenticated attackers to induce site administrators to perform actions via forged requests. Remediation: update to ...
CVE-2025-14873
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'callbyroutename' function in the routing layer only validating user capabilities without enforcing...
CVE-2026-1983
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary...
CVE-2026-1983
CVE-2026-1983 concerns the SEATT: Simple Event Attendance plugin for WordPress. The Wordfence entry states this vuln is a Cross-Site Request Forgery (CSRF) flaw present in all versions up to 1.5.0, caused by missing nonce validation on event deletion. This enables unauthenticated attackers to tri...
CVE-2026-1983 SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary...
PT-2026-8074
The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings vi...
PT-2026-8058
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's...
PT-2026-8059
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call by route name' function in the routing layer only validating user capabilities without enforci...
PT-2026-8073
Name of the Vulnerable Software and Affected Versions midi-Synth plugin for WordPress versions up to and including 1.1.0 Description The midi-Synth plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type and file extension validation within the 'export' AJAX...
CVE-2025-15520
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
CVE-2025-15520 RegistrationMagic <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
CVE-2025-15520 RegistrationMagic <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
CVE-2025-15520
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above...
Linux Distros Unpatched Vulnerability : CVE-2026-26014
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES...
CVE-2026-1215
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mmacalltrackingmenu admin page. This makes it possible for unauthenticated attackers...
CVE-2026-26014
A vulnerability has been identified in the Pion DTLS implementation where the use of random nonce generation with AES-GCM ciphers does not adhere to recommended cryptographic practices. Under certain conditions, this may allow remote attackers to more easily derive or reuse encryption...
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE
manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simpleexecute/method and /execute/method deserialize attacker-controlled request bodies using...
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE
manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simpleexecute/method and /execute/method deserialize attacker-controlled request bodies using...
CVE-2026-26215
CVE-2026-26215 affects manga-image-translator, beta-0.3 and earlier, in shared API mode. The vulnerability is an unsafe deserialization via Python's pickle.loads() in FastAPI endpoints /simple_execute/{method} and /execute/{method}, processing attacker-controlled request bodies without validation...