30 matches found
CVE-2026-5693 Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...
CVE-2026-5693 Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...
CVE-2026-5693
CVE-2026-5693: The WordPress plugin Smart Appointment & Booking (versions ≤ 1.0.8) is vulnerable to unauthorized data modification due to a missing capability check and a faulty nonce validation in saab_cancel_booking(). The nonce check uses AND (&&) instead of OR (||), allowing unauthenticated a...
VulnCheck KEV: CVE-2022-0633
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database...
EUVD-2026-26496
The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handlemoduleactions' function. This makes it possible for unauthenticated attackers to toggle plugin...
CVE-2026-3140
The Ultimate Dashboard plugin for WordPress is affected by a Cross-Site Request Forgery in versions up to 3.8.14 due to a flawed nonce validation conditional in the handle_module_actions function, enabling unauthenticated attackers to toggle plugin modules by tricking a site administrator into pe...
CVE-2026-3140
The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handlemoduleactions' function. This makes it possible for unauthenticated attackers to toggle plugin...
EUVD-2026-21317
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the savetitle AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page,...
EUVD-2026-17367
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...
CVE-2025-14167
CVE-2025-14167 details a Cross-Site Request Forgery in the WordPress plugin Remove Post Type Slug (versions
EUVD-2021-34220
Malicious code in bioql PyPI...
EUVD-2023-54119
Malicious code in bioql PyPI...
EUVD-2025-8559
Malicious code in bioql PyPI...
CVE-2025-10499
CVE-2025-10499 : The WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You (up to version 3.12.0) is vulnerable to a Cross‑Site Request Forgery (CSRF) due to missing/incorrect nonce validation in the maybe_opt_in() function. This allows unauthenticated attackers to trigger e...
CVE-2025-9887 Custom Login And Signup Widget <= 1.0 - Cross-Site Request Forgery
The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzkadminclsw.php file. This makes it possible for unauthenticated attackers to change the...
PT-2025-37148
The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings page function. This makes it possible for unauthenticated attackers to modify...
CVE-2025-6247
CVE-2025-6247 affects the WordPress Automatic Plugin for WordPress (
CVE-2025-7684 Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfmalbumsartwork.php' page. This makes it possible for unauthenticated attackers to update...
PT-2025-27292 · WordPress · Micropayments – Fans Paysite
Name of the Vulnerable Software and Affected Versions: The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress versions up to, and including, 3.2.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...
CVE-2025-6063
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject...