CVE-2024-7861

CVE-2024-7861 affects the Misiek Paypal WordPress plugin up to version 1.1.20090324. The Red Hat/NVD entries describe a lack of CSRF checks in some areas, combined with insufficient sanitisation and escaping, enabling a logged-in admin to store a Cross-Site Scripting payload via CSRF. Exploitatio...

CVE-2024-7861 Misiek Paypal <= 1.1.20090324 - Stored XSS via CSRF

The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-7818 Misiek Photo Album <= 1.4.3 - Stored XSS via CSRF

The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-7820 ILC Thickbox <= 1.0 - Settings update via CSRF

The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-7859

The CVE-2024-7859 entry affects the Visual Sound WordPress plugin (versions

CVE-2024-7820

CVE-2024-7820 affects ILC Thickbox WordPress plugin (≤ 1.0). The issue is a CSRF protection bypass during settings updates, enabling a logged-in attacker to change settings via a CSRF attack. Root cause: absence of CSRF checks in the settings update path. Public details in connected sources confi...

CVE-2024-7816 Gixaw Chat <= 1.0 - Stored XSS via CSRF

The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-6017 Music Request Manager <= 1.3 - Stored XSS via CSRF

The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-3163

The Easy Property Listings WordPress plugin prior to version 3.5.4 is vulnerable due to missing CSRF protection when deleting contacts in bulk. This design flaw could allow a CSRF attacker to cause a logged-in administrator to delete contacts via a CSRF attack. Affected products/versions: Easy Pr...

CVE-2024-7698

A low privileged remote attacker can get access to CSRF tokens of higher privileged users which can be abused to mount CSRF attacks...

CVE-2024-7687

AZIndex WordPress plugin (

CVE-2024-7688

CVE-2024-7688 affects the AZIndex WordPress plugin (versions

CVE-2024-6853

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating welcome popups, which could allow attackers to make logged admins perform such action via a CSRF attack...

CVE-2024-6856

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6852

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6853

The CVE CVE-2024-6853 concerns WP MultiTasking for WordPress, affected in versions

CVE-2024-6855

The CVE-2024-6855 issue affects the WP MultiTasking (WP Utilities) WordPress plugin, specifically versions

CVE-2024-6852 WP MultiTasking <= 0.1.12 - Settings Update via CSRF

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-6856

CVE-2024-6856 affects the WordPress plugin WP MultiTasking (versions up to 0.1.12). The root cause is a missing CSRF check when updating plugin settings, enabling a logged-in attacker to modify settings through a CSRF attack. Exploitation details are not provided beyond this description in the co...

CVE-2024-7690 DN Popup <= 1.2.2 - Settings Update via CSRF

The DN Popup WordPress plugin through 1.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...