Lucene search
K

253 matches found

Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.10 views

CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References7
CVE
CVE
added 2026/05/20 1:25 a.m.16 views

CVE-2026-6395

CVE-2026-6395 affects the WordPress plugin Word 2 Cash up to version 0.9.2. The root cause is the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the...

6.1CVSS6AI score0.00153EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.8 views

CVE-2026-6395

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.8 views

CVE-2026-6400 Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options function, which handles plugin settings updates. The form template does not include a...

4.3CVSS5.7AI score0.00163EPSS
Exploits0References5
CVE
CVE
added 2026/05/20 1:25 a.m.21 views

CVE-2026-6401

The Bottom Bar plugin for WordPress (versions

4.3CVSS5.9AI score0.00187EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.9 views

CVE-2026-8424

The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybbapisettings' page. This makes it possible for unauthenticated attackers to reset the plugin's stored...

4.3CVSS5.7AI score0.00158EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31029

The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS5.7AI score0.00294EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.18 views

PT-2026-42061

Name of the Vulnerable Software and Affected Versions Word 2 Cash versions prior to 0.9.3 Description The Word 2 Cash plugin for WordPress is subject to Cross-Site Request Forgery CSRF which can lead to Stored Cross-Site Scripting XSS. This occurs because the w2c admin function lacks nonce...

6.1CVSS6AI score0.00153EPSS
Exploits0References10
EUVD
EUVD
added 2026/05/12 9:31 a.m.44 views

EUVD-2026-29408

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the savesettings function, which is registered on the adminpostcccf7savesettings...

4.3CVSS5.8AI score0.00208EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/12 7:48 a.m.6 views

CVE-2026-7562

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via checkadminreferer or wpverifynonce in the...

4.3CVSS5.7AI score0.00132EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.40 views

CVE-2026-7562 WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via checkadminreferer or wpverifynonce in the...

4.3CVSS0.00132EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.14 views

PT-2026-39972

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via check admin referer or wp verify nonce in the...

4.3CVSS5.7AI score0.00132EPSS
Exploits0References6
CVE
CVE
added 2026/05/10 12:12 p.m.11 views

CVE-2022-50955

CVE-2022-50955 affects the WordPress plugin Curtain 1.0.2. The issue is a cross-site request forgery (CSRF) that lets attackers toggle maintenance mode by crafting requests to options-general.php with curtain parameters, bypassing valid nonce validation. Impact is the ability to activate/deactiva...

5.3CVSS5.7AI score0.0013EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-36960

Name of the Vulnerable Software and Affected Versions Publish 2 Ping.fm plugin for WordPress versions prior to 1.2 Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This allows unauthenticated...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/05/02 7:46 a.m.5 views

CVE-2026-4650

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donateactionstatus AJAX handler, which is registered to be accessible to unauthenticated users vi...

5.3CVSS5.9AI score0.00402EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.5 views

PT-2026-36589

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate action status AJAX handler, which is registered to be accessible to unauthenticated users...

5.3CVSS5.9AI score0.00402EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/04/23 8:38 p.m.6 views

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

4.3CVSS5.7AI score0.00178EPSS
Exploits0References1
NVD
NVD
added 2026/04/22 9:16 a.m.5 views

CVE-2026-4131

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS0.00181EPSS
Exploits0References11
NVD
NVD
added 2026/04/22 9:16 a.m.6 views

CVE-2026-4140

The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the niorderexportaction AJAX handler function. The handler processes settings updates when the 'page' parameter is...

4.3CVSS0.00156EPSS
Exploits0References5
NVD
NVD
added 2026/04/22 9:16 a.m.7 views

CVE-2026-4117

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

5.3CVSS0.00364EPSS
Exploits0References7
Rows per page
Query Builder