CVE-2023-7174 aBitGone CommentSafe <= 1.0.0 - Settings Update to Stored XSS via CSRF

The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2023-5934 Travelpayouts < 1.1.13 - Settings Update via CSRF

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack...

CVE-2023-2334 Easy Digital Downloads Google Sheet Connector < 1.6.6 - Access Code Update via CSRF

The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a...

CVE-2023-2334 Easy Digital Downloads Google Sheet Connector < 1.6.6 - Access Code Update via CSRF

The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a...

CVE-2025-2247

The CVE-2025-2247 entry concerns the WP-PManager WordPress plugin (versions 1.2 and earlier) with a CSRF vulnerability in the settings update functionality. The root cause is a lack of CSRF checks, which could allow an authenticated attacker to cause a logged-in administrator to change settings v...

CVE-2025-2247 WP-PManager <= 1.2 - Category Deletion via CSRF

The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-9450 Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking < 1.3.15 - Subscriber+ PayPal Settings Update

The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack...

CVE-2024-9233

CVE-2024-9233 concerns the Logo Slider WordPress plugin, versions prior to 3.7.1. The public description and Red Hat/NVD entries confirm a lack of CSRF protection when updating plugin settings, potentially allowing a logged-in admin to be coerced into changing settings via CSRF. The vulnerability...

CVE-2024-8398

Summary: CVE-2024-8398 affects the WordPress plugin Simple Nav Archives, versions

CVE-2024-8245 GamiPress - Reset User <= 1.0.0 - GamiPress User Data Removal via CSRF

The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-8085 PeoplePond <= 1.1.9 - CSRF to Stored XSS

The PeoplePond WordPress plugin through 1.1.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-8082 Widgets Reset <= 0.1 - Settings Update via CSRF

The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-7984

The CVE concerns the WordPress plugin Joy Of Text Lite (SMS messaging for WordPress) versions 2.3.1 and earlier. The vulnerability arises from a missing CSRF check when updating plugin settings, which could allow an attacker to cause a logged-in admin to change settings via CSRF. Exploitation det...

CVE-2024-8050 Custom Author Base <= 1.1.1 - Settings Update via CSRF

The Custom Author Base WordPress plugin through 1.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-7984 Joy Of Text Lite – SMS messaging for WordPress <= 2.3.1 - Settings Update via CSRF

The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6712

The CVE-2024-6712 entry concerns the WordPress MapFig Studio plugin (versions ≤ 0.2.1). The root cause is missing CSRF checks in several areas, coupled with insufficient sanitisation and escaping, which could allow a logged-in admin to add stored XSS payloads via a CSRF attack. The vulnerability ...

CVE-2024-6719

The CVE-2024-6719 entry concerns the WordPress plugin “Offload Videos” (bunny.net/AWS S3 integration) prior to version 1.0.1. According to the documentation, the vulnerability arises from a missing CSRF check when updating plugin settings, which could allow low-privilege users to alter settings v...

CVE-2024-6712 MapFig Studio <= 0.2.1 - Stored XSS via CSRF

The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-12750 Competition Form <= 2.0 - Competition Deletion via CSRF

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-11719 tarteaucitron.js for WordPress < 0.3.0 - Stored XSS via CSRF

The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...