6 matches found
CVE-2026-4071 BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change
The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseedpluginsettingspage function. The function processes the 'birdseedtoken' GET parameter and saves it to the database via...
CVE-2026-6405
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...
PT-2026-25147
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by...
CVE-2025-13527
The CVE-2025-13527 entry covers the WordPress xShare plugin, with CSRF in xshare_plugin_reset() affecting all versions up to 1.0.1 due to missing nonce validation. The Wordfence report confirms that unauthenticated attackers could trigger a settings-reset action by delivering a forged request to ...
CVE-2025-12070
CVE-2025-12070 pertains to the WordPress ViaAds plugin up to version 2.1.1, where CSRF is possible due to missing nonce validation in the ViaAds_pluginHandler. This allows unauthenticated attackers to alter the plugin’s API key and cookie consent settings by sending forged requests that trick an ...
CVE-2025-12095
CVE-2025-12095 concerns the WordPress plugin Simple Registration for WooCommerce (up to version 1.5.8). The root cause is missing nonce validation on the role-requests admin page handler in includes/display-role-admin.php, enabling CSRF that can privilege-escalate via forged requests if an admin ...