CVE-2026-1076

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged...

CVE-2026-1076

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged...

CVE-2026-1076

CVE-2026-1076: The Star Review Manager WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) due to missing nonce validation on the settings page. This enables unauthenticated attackers to forge requests to update the plugin’s CSS settings if a site administrator is tricked into per...

CVE-2026-1076 Star Review Manager <= 1.2.2 - Cross-Site Request Forgery to Settings Update

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged...

PT-2026-4580

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged...

CVE-2024-12249

The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savesettings function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2024-12249

The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savesettings function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

WordPress Webba Booking plugin <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ CSS Settings Update vulnerability discovered by Lucio Sá in WordPress Plugin Webba Booking versions = 5.0.48...

WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the CSS settings of the plugin:...

Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following code in the Custom CSS settings of the plugin setTimeout"alert'1'",3000...

CVE-2021-24482

The Related Posts for WordPress plugin through 2.0.4 does not sanitise its headingtext and CSS settings, allowing high privilege users admin to set XSS payloads in them, leading to Stored Cross-Site Scripting issues...