8787 matches found
PT-2026-3182
GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with...
Dating <= 11.2.0 - Cross-Site Request Forgery
Description The Dating theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 11.2.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged...
Cryptographic Semantic Binding Flaw
ALTCHA libraries are vulnerable to a cryptographic semantic binding flaw. The vulnerability is due to ambiguous HMAC binding between challenge parameters and the nonce, which allows an attacker to splice or reinterpret a valid proof-of-work submission for example by modifying the expiration value...
CVE-2025-15376
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'setstopwordsforcomments' and 'deletestopwordsforcomments' functions. This makes it possible for unauthenticated...
CVE-2025-14846
The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...
CVE-2025-15376 Stopwords for comments <= 1.1 - Missing Authorization to Cross-Site Request Forgery
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'setstopwordsforcomments' and 'deletestopwordsforcomments' functions. This makes it possible for unauthenticated...
CVE-2025-15376 Stopwords for comments <= 1.1 - Missing Authorization to Cross-Site Request Forgery
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'setstopwordsforcomments' and 'deletestopwordsforcomments' functions. This makes it possible for unauthenticated...
CVE-2025-15376
The CVE-2025-15376 entry concerns the WordPress plugin Stopwords for comments, versions up to 1.1. It is a Cross-Site Request Forgery (CSRF) vulnerability caused by missing nonce validation in set_stopwords_for_comments and delete_stopwords_for_comments. This allows unauthenticated attackers to a...
CVE-2025-14846
The CVE-2025-14846 entry concerns the WordPress SocialChamp plugin (SocialChamp with WordPress) up to version 1.3.3. The issue is a Cross-Site Request Forgery (CSRF) due to missing nonce validation in the wpsc_settings_tab_menu function, allowing unauthenticated attackers to modify plugin setting...
EUVD-2026-2531
The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...
CVE-2025-14846 SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update
The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...
CVE-2025-14846 SocialChamp with WordPress <= 1.3.5 - Cross-Site Request Forgery to Plugin Settings Update
The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...
CVE-2025-15377
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'adminpagecontent' function. This makes it possible for unauthenticated attackers to update the plugin's settings via...
CVE-2025-14615
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for...
CVE-2025-14389
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted...
CVE-2025-15377
The CVE-2025-15377 entry describes a Cross-Site Request Forgery in the WordPress plugin Sosh Share Buttons (versions up to and including 1.1.0). The root cause is missing nonce validation in the admin_page_content function, enabling unauthenticated attackers to modify plugin settings via a forged...
CVE-2025-15377 Sosh Share Buttons <= 1.1.0 - Cross-Site Request Forgery
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'adminpagecontent' function. This makes it possible for unauthenticated attackers to update the plugin's settings via...
CVE-2025-15377 Sosh Share Buttons <= 1.1.0 - Cross-Site Request Forgery
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'adminpagecontent' function. This makes it possible for unauthenticated attackers to update the plugin's settings via...
CVE-2025-14615 DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for...
PT-2026-2811
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted...