Lucene search
K

8799 matches found

RedhatCVE
RedhatCVE
added 2026/01/09 9:16 a.m.6 views

CVE-2025-14468

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the ampthemeajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts...

4.3CVSS5.7AI score0.00132EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:16 a.m.5 views

CVE-2025-13657

The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handlequeryargs function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS5.2AI score0.00128EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:16 a.m.6 views

CVE-2025-13520

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugi...

4.3CVSS5.3AI score0.0014EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:16 a.m.4 views

CVE-2025-13527

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xsharepluginreset' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged...

4.3CVSS5.3AI score0.0014EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:4 a.m.7 views

CVE-2024-39681

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users...

8.8CVSS6.9AI score0.00334EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:4 a.m.11 views

CVE-2024-39678

Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing...

8.8CVSS6.9AI score0.00343EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:3 a.m.9 views

CVE-2024-39679

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users...

8.8CVSS6.9AI score0.00343EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:3 a.m.9 views

CVE-2024-39680

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users...

8.8CVSS6.9AI score0.00334EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:57 a.m.9 views

CVE-2023-4916

The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwpupdatepasswordaction' function. This makes it possible for unauthenticated attackers to change user password via...

8.8CVSS5.5AI score0.00324EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:57 a.m.9 views

CVE-2023-4276

The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abprprofileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a...

8.8CVSS6.6AI score0.00276EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:45 a.m.5 views

CVE-2025-13493

The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rndhandleformsubmit function hooked to both adminpostmysimpleform and...

7.5CVSS5.9AI score0.00283EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:36 a.m.10 views

CVE-2020-12076

The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. One consequence of this is stored XSS...

9.6CVSS6.7AI score0.00687EPSS
Exploits0References1
NVD
NVD
added 2026/01/09 8:15 a.m.4 views

CVE-2025-14146

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBCFLEXTIMELINENAV AJAX action. This is due to the nonce verification being conditionally disabled by default bookingisnonceatfrontend option is 'Off' ...

5.3CVSS0.00337EPSS
Exploits0References6
CVE
CVE
added 2026/01/09 7:22 a.m.19 views

CVE-2025-14146

CVE-2025-14146 is a Booking Calendar WordPress plugin issue (up to version 10.14.10) where unauthenticated attackers can exfiltrate sensitive booking data via the WPBC_FLEXTIMELINE_NAV AJAX action. The root cause is that nonce verification is conditionally disabled by default because the setting ...

5.3CVSS5.8AI score0.00337EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/01/09 7:22 a.m.27 views

CVE-2025-14146 Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBCFLEXTIMELINENAV AJAX action. This is due to the nonce verification being conditionally disabled by default bookingisnonceatfrontend option is 'Off' ...

5.3CVSS0.00337EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/01/09 7:22 a.m.3 views

CVE-2025-14146 Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBCFLEXTIMELINENAV AJAX action. This is due to the nonce verification being conditionally disabled by default bookingisnonceatfrontend option is 'Off' ...

5.3CVSS5.8AI score0.00337EPSS
Exploits0References6
NVD
NVD
added 2026/01/09 6:16 a.m.9 views

CVE-2025-13749

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcrupmchangeflag" function. This makes it possible for...

4.3CVSS0.00124EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/09 5:25 a.m.23 views

CVE-2025-13749 Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcrupmchangeflag" function. This makes it possible for...

4.3CVSS0.00124EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/09 5:25 a.m.2 views

CVE-2025-13749 Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcrupmchangeflag" function. This makes it possible for...

4.3CVSS4.9AI score0.00124EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/09 12:0 a.m.7 views

PT-2026-1731

Name of the Vulnerable Software and Affected Versions Booking Calendar versions prior to 10.14.11 Description The Booking Calendar plugin for WordPress is susceptible to sensitive information exposure via the WPBC FLEXTIMELINE NAV AJAX action. This occurs because nonce verification is conditional...

5.3CVSS6.2AI score0.00337EPSS
Exploits0References10
Rows per page
Query Builder