Lucene search
K

22 matches found

CVE
CVE
added 2026/05/12 7:48 a.m.9 views

CVE-2026-7616

The CVE-2026-7616 entry concerns the WordPress Zawgyi Embed plugin (versions up to 2.1.1). The root cause is missing or incorrect nonce validation in the zawgyi_adminpage function, enabling Cross-Site Request Forgery. This allows unauthenticated attackers to modify the plugin’s zawgyi_forceCSS se...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.11 views

PT-2026-39973

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi adminpage function. This makes it possible for unauthenticated attackers to update the plugin's zawgyi...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/16 7:39 a.m.24 views

CVE-2025-14868 Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion

The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the...

8.8CVSS0.00412EPSS
Exploits0References2
NVD
NVD
added 2026/02/19 7:17 a.m.4 views

CVE-2026-1455

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfwsaveuserssettings' AJAX action. This makes it possible for unauthenticated...

4.3CVSS0.00124EPSS
Exploits0References3
CVE
CVE
added 2026/02/18 5:29 a.m.13 views

CVE-2026-2023

CVE-2026-2023: WP Plugin Info Card for WordPress was affected by a CSRF vulnerability up to version 6.2.0 due to missing nonce validation in ajax_save_custom_plugin(), allowing unauthenticated attackers to forge requests that create or modify custom plugin entries if a site admin is enticed to pe...

4.3CVSS5.4AI score0.00156EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/11 12:0 a.m.5 views

PT-2026-7496

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mma call tracking menu admin page. This makes it possible for unauthenticated...

4.3CVSS5.4AI score0.0016EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/01/20 1:22 a.m.1 views

CVE-2026-1051 Newsletter – Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription

The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hooknewsletteraction function. This makes it possible for unauthenticated...

4.3CVSS5.5AI score0.00104EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/13 10:53 p.m.2 views

CVE-2025-14976

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce...

5.4CVSS5.5AI score0.00123EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/12 6:31 a.m.2 views

EUVD-2025-202957

The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings...

4.3CVSS4.9AI score0.00124EPSS
Exploits0References4
NVD
NVD
added 2025/12/05 6:16 a.m.1 views

CVE-2025-13621

The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's...

6.1CVSS0.00119EPSS
Exploits0References5
CVE
CVE
added 2025/12/05 5:31 a.m.7 views

CVE-2025-13360

CVE-2025-13360 relates to the WordPress plugin Quantic Social Image Hover (versions up to and including 1.0.8). The vulnerability is a Cross-Site Request Forgery (CSRF) due to missing nonce validation on the plugin’s settings update function. Exploitation requires tricking a site administrator in...

4.3CVSS5.1AI score0.00124EPSS
Exploits0References3
NVD
NVD
added 2025/11/28 4:16 a.m.5 views

CVE-2025-13737

The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink th...

4.3CVSS0.00124EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/11/21 8:29 p.m.9 views

CVE-2025-11087 Zegen Core <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload

The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possib...

8.8CVSS0.00208EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/11/18 8:27 a.m.1 views

CVE-2025-9625 Coil Web Monetization <= 2.0.2 - Cross-Site Request Forgery

The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the mayberestrictcontent function. This makes it possible...

4.3CVSS4.9AI score0.00128EPSS
Exploits0References4
NVD
NVD
added 2025/11/04 5:16 a.m.5 views

CVE-2025-12410

The SH Contextual Help plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation in the shcontextualhelpdashboardwidget function. This makes it possible for unauthenticated attackers to update...

6.1CVSS0.00124EPSS
Exploits0References4
CVE
CVE
added 2025/11/04 4:27 a.m.25 views

CVE-2025-12403

CVE-2025-12403 concerns the WordPress plugin Associados Amazon Plugin (brzon) &lt;= 0.8. Wordfence notes a Cross-Site Request Forgery (CSRF) vulnerability that leverages missing or incorrect nonce validation in brzon_admin_panel(), enabling unauthenticated attackers to trigger settings updates an...

6.1CVSS5AI score0.00124EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/04 6:30 a.m.14 views

EUVD-2025-32404

The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This...

4.3CVSS4.9AI score0.0018EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/10/03 11:17 a.m.2 views

CVE-2025-9884 Mobile Site Redirect <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious w...

6.1CVSS4.9AI score0.00146EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/05/16 12:0 a.m.2 views

PT-2024-29706 · WordPress · Bulk Posts Editing For Wordpress

Name of the Vulnerable Software and Affected Versions: Bulk Posts Editing For WordPress plugin for WordPress versions up to, and including, 4.2.3 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the plugin's AJAX actions. This allows...

4.3CVSS6.7AI score0.00222EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/02/14 12:0 a.m.2 views

PT-2024-3142 · WordPress · The Tutor Lms

Name of the Vulnerable Software and Affected Versions: The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the erase tutor dat...

5CVSS9.3AI score0.0022EPSS
Exploits0References9
Rows per page
Query Builder