68 matches found
GP Premium <= 2.4.0 - Cross-Site Scripting
The GP Premium plugin for WordPress up to 2.4.0 is vulnerable to reflected XSS via the 'message' parameter in inc/verify.php lines 95-101, where a message passed with slactivation=false is URL-decoded and used unsanitized in addsettingserror, allowing XSS payloads to be reflected in admin notices...
EUVD-2026-36140
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicatepostdismissnotice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicatepostshownotice site option, suppressing...
CVE-2026-53739
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicatepostdismissnotice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicatepostshownotice site option, suppressing...
CVE-2026-53739 Yoast Duplicate Post through 4.6 Cross-Site Request Forgery via duplicate_post_dismiss_notice
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicatepostdismissnotice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicatepostshownotice site option, suppressing...
CVE-2026-53739
CVE-2026-53739 affects the WordPress plugin Yoast Duplicate Post up to version 4.6. The issue is a cross-site request forgery in the duplicate_post_dismiss_notice handler that does not verify a nonce or capability. This allows an attacker to trick an authenticated user into issuing a request that...
PT-2026-48553
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate post dismiss notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate post show notice site option,...
WordPress plugin Yoast Duplicate Post 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-2374
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...
CVE-2026-2374
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...
CVE-2026-2374 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...
PT-2026-44172
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $ SERVER'PHP SELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$ SERVER'PHP SELF' in the login...
EUVD-2026-8520
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...
CVE-2026-2410
CVE-2026-2410 refers to the WordPress plugin Disable Admin Notices – Hide Dashboard Notifications, vulnerable to Cross-Site Request Forgery (CSRF) up to version 1.4.2. The issue arises from missing nonce validation in the showPageContent() function, enabling unauthenticated attackers to craft req...
CVE-2026-2410 Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...
CVE-2026-2410
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...
CVE-2026-2410 Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...
WordPress plugin Disable Admin Notices – Hide Dashboard Notifications 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress Disable Admin Notices - Hide Dashboard Notifications plugin <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability
WordPress Disable Admin Notices - Hide Dashboard Notifications plugin = 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by lucsob in WordPress Plugin Disable Admin Notices individually versions = 1.4.2...
Automattic: XSS Vulnerability on Pressable/Atomic Hosting Platform via unescaped admin notices leads to code execution
A cross-site scripting XSS vulnerability was discovered in the Pressable/Atomic Hosting Platform's admin notices feature. Unescaped text output in the atomic-platform.php file allowed arbitrary JavaScript code execution when an administrator updated or set the atomicsingleoptionlimiternotices...
EUVD-2021-25705
Malware in sbrugna...