PT-2026-20599

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno update page title. This makes it possible for...

CVE-2025-14720 Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Missing Authorization to Unauthenticated Multiple AJAX Actions

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as...

PT-2026-1591

Name of the Vulnerable Software and Affected Versions SVG Map Plugin for WordPress versions prior to 1.0.1 Description The software is susceptible to Cross-Site Request Forgery CSRF due to missing or incorrect nonce validation on multiple AJAX actions. Specifically, the AJAX actions ‘save data’,...

CVE-2025-14395

The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions e.g., popsubmit, popthemesubmit in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-lev...

CVE-2025-14395

The CVE CVE-2025-14395 concerns the Popover Windows WordPress plugin (versions

PT-2025-51070

The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions e.g., pop submit, poptheme submit in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with...

CVE-2025-10375

The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibesignup, accessibelogin, accessibelicensetrial, accessibemodifyconfig,...

WordPress plugin Salon Booking System 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

PT-2024-17345 · WordPress · Image Alt Text

Name of the Vulnerable Software and Affected Versions: Image Alt Text plugin for WordPress versions up to and including 2.0.0 Description: The issue allows authenticated attackers with subscriber-level access and above to update the alt text on arbitrary images due to a missing capability check o...

PT-2024-10852 · WordPress · Wpvivid

Name of the Vulnerable Software and Affected Versions: Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including 0.9.35 Description: The issue is related to arbitrary file uploads due to a missing capability check on the wpvivid upload import files and wpvivid upload...

PT-2024-28620 · WordPress · Cooked

Name of the Vulnerable Software and Affected Versions: Cooked plugin for WordPress versions up to, and including, 1.7.15.4 Description: The issue is related to Cross-Site Request Forgery CSRF due to missing or incorrect nonce validation on the AJAX action handler. This could allow an attacker to...

WordPress The Moneytizer plugin <= 9.6.3 - Cross-Site Request Forgery via multiple AJAX actions vulnerability

Cross-Site Request Forgery via multiple AJAX actions vulnerability discovered by Francesco Carlucci in WordPress Plugin The Moneytizer versions = 9.6.3...

PT-2024-31095 · WordPress · Comparison Slider

Name of the Vulnerable Software and Affected Versions: Comparison Slider plugin for WordPress versions up to, and including, 1.0.5 Description: The issue allows authenticated attackers with subscriber access or above to modify data due to a missing capability check on several AJAX actions. This...

PT-2024-14871 · WordPress · Wp Custom Widget Area

Name of the Vulnerable Software and Affected Versions: WP Custom Widget area WordPress plugin versions 1.2.5 and earlier Description: The issue arises from the plugin not properly applying capability and nonce checks on its AJAX action callback functions. This could allow attackers with subscribe...

PT-2024-15107 · WordPress · Easyjobs

Name of the Vulnerable Software and Affected Versions: easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin versions prior to 2.4.7 Description: The issue arises from the plugin not properly securing some of its AJAX actions,...

CVE-2023-5602

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for...

PT-2023-20002 · WordPress · Easy Google Maps

Name of the Vulnerable Software and Affected Versions: Easy Google Maps plugin for WordPress versions up to and including 1.11.7 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the AJAX action handler. This allows unauthenticated...

PT-2023-11844 · WordPress · Ultimate Addons For Gutenberg

Name of the Vulnerable Software and Affected Versions: The Ultimate Addons for Gutenberg plugin for WordPress versions up to, and including, 1.14.7 Description: The issue is due to missing capability checks on several AJAX actions, making it possible for authenticated attackers with subscriber+...

CVE-2022-4940

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such ...

CVE-2023-0098

The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber...