EUVD-2026-38688

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage, which dispatches to launchbulk / BulkSeoImageGo whenever the request...

EUVD-2026-38680

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...

CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...

CVE-2026-11784 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

CVE-2026-53736

CVE-2026-53736 affects the Easy Twitter Feeds WordPress plugin prior to 1.2.13. The issue is a cross-site request forgery in the duplicate_post action handler that lacks nonce verification. An attacker could entice an authenticated user to visit a crafted link that duplicates posts regardless of ...

CVE-2026-8909 WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

EUVD-2026-35304

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the processinit function hooked to admininit, which saves plugin settings zoom-level, focus-lat, focus-lng, selplaces, selroutes v...

PT-2026-47680

Name of the Vulnerable Software and Affected Versions WP-Ultimate-Map versions prior to 1.2 Description The plugin is subject to Cross-Site Request Forgery CSRF and Stored Cross-Site Scripting XSS. The issue occurs because the process init function, which is hooked to admin init, fails to validat...

WordPress plugin AJAX Report Comments 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-7616

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyiadminpage function. This makes it possible for unauthenticated attackers to update the plugin's...

CVE-2026-1673

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

CVE-2026-1672

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the wooberedrawtablerow function. This makes it possibl...

CVE-2026-9730

The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmzcommentsettingssave function. This makes it possible for unauthenticated attackers to modify...

CVE-2026-6396

The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields function, which handles the fffsavesettins AJAX action. This makes it possible for unauthenticated...

CVE-2026-6400

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options function, which handles plugin settings updates. The form template does not include a...

CVE-2026-4131

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

CVE-2026-4071

The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseedpluginsettingspage function. The function processes the 'birdseedtoken' GET parameter and saves it to the database via...

CVE-2026-4118

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...

CVE-2026-8425

The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...

CVE-2026-3499

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajaxmigratetocustomposttype,...