PT-2026-48640

Cross-Site request forgery CSRF vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10...

Cross-site Scripting (XSS)

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Cross-site Scripting XSS through the Template response rendering path in the HTML template components. An attacker can inject arbitrary HTML o...

GHSA-RQFJ-VV8R-XHQC nebula-mesh: Session and OIDC state cookies lack the Secure attribute

internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration discloses the session. Affected All released...

WordPress WP Migrate Lite plugin <= 2.7.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WP Migrate Lite versions = 2.7.8...

Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents

Summary The dashboard exposes the cron manual-trigger action as an authenticated GET /api/v1/cron/:id/manual endpoint. Dashboard JWTs are sent in the nz-jwt cookie and configured with SameSite=Lax, which browsers include on top-level cross-site GET navigations. Because this state-changing GET...

CVE-2025-58468

CVE-2025-58468—Notification Center describes a cross-site request forgery (CSRF) vulnerability that could allow remote attackers to gain privileges or hijack user identities. The advisory states the issue is fixed in Notification Center version 1.10.0.3291 and later. From the connected records, n...

PT-2026-48541

internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration discloses the session. Affected All released...

CVE-2026-8904

The FastPicker, an order picker and order management system oms for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes i...

CVE-2026-11603

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'argsfilterFormArray' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2026-8910

The CVE refers to the WordPress plugin WP Emoticon Rating (versions

EUVD-2026-35300

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

CVE-2026-8940

The CVE-2026-8940 entry concerns WordPress plugin WP Meta Sort Posts (versions

PT-2026-47639

Name of the Vulnerable Software and Affected Versions Product Filter Widget for Elementor versions prior to 1.0.7 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. This is achieved via a CSRF-style form auto-submission...

PT-2026-47681

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

Jenkins build-metrics 1.3 - Cross-Site Scripting

Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...

SUSE CVE-2026-1070

The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alexusercounterfunction function. This makes it possible for unauthenticated attackers to update the plugin settings via...

PT-2026-47542

Every /ui/ POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: - top-level form-submit navigations from third-party pages some browsers still send Lax cookie...

CVE-2026-9719

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

CVE-2026-7047

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...

CVE-2026-7047

CVE-2026-7047 concerns the WordPress plugin Frontend User Notes up to version 2.1.1. The vulnerability is a Cross-Site Request Forgery (CSRF) stemming from missing or incorrect nonce validation in the funp_ajax_modify_notes function. This allows an unauthenticated attacker to lure a logged-in use...