Lucene search
K

30 matches found

Cvelist
Cvelist
added 2026/05/12 7:48 a.m.36 views

CVE-2026-5693 Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...

5.3CVSS0.00228EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.6 views

CVE-2026-5693 Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...

5.3CVSS5.9AI score0.00228EPSS
Exploits0References4
CVE
CVE
added 2026/05/12 7:48 a.m.20 views

CVE-2026-5693

CVE-2026-5693: The WordPress plugin Smart Appointment & Booking (versions ≤ 1.0.8) is vulnerable to unauthorized data modification due to a missing capability check and a faulty nonce validation in saab_cancel_booking(). The nonce check uses AND (&&) instead of OR (||), allowing unauthenticated a...

5.3CVSS5.9AI score0.00228EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2022-0633

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database...

6.5CVSS6.7AI score0.01979EPSS
In wildExploits3References2
EUVD
EUVD
added 2026/05/01 11:18 a.m.4 views

EUVD-2026-26496

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handlemoduleactions' function. This makes it possible for unauthenticated attackers to toggle plugin...

4.3CVSS5.7AI score0.00151EPSS
Exploits0References3
CVE
CVE
added 2026/05/01 11:18 a.m.12 views

CVE-2026-3140

The Ultimate Dashboard plugin for WordPress is affected by a Cross-Site Request Forgery in versions up to 3.8.14 due to a flawed nonce validation conditional in the handle_module_actions function, enabling unauthenticated attackers to toggle plugin modules by tricking a site administrator into pe...

4.3CVSS5.7AI score0.00151EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/01 11:18 a.m.5 views

CVE-2026-3140

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handlemoduleactions' function. This makes it possible for unauthenticated attackers to toggle plugin...

4.3CVSS5.7AI score0.00151EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/10 9:31 a.m.3 views

EUVD-2026-21317

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the savetitle AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page,...

6.5CVSS5.9AI score0.00226EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/31 12:31 p.m.3 views

EUVD-2026-17367

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...

5.4CVSS5.8AI score0.00154EPSS
Exploits0References4
CVE
CVE
added 2026/02/19 4:36 a.m.11 views

CVE-2025-14167

CVE-2025-14167 details a Cross-Site Request Forgery in the WordPress plugin Remove Post Type Slug (versions

4.3CVSS5.4AI score0.00151EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2021-34220

Malicious code in bioql PyPI...

4.3CVSS5.1AI score0.00399EPSS
Exploits1References9
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2023-54119

Malicious code in bioql PyPI...

5.4CVSS6.1AI score0.00248EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-8559

Malicious code in bioql PyPI...

6.1CVSS9AI score0.00369EPSS
Exploits0References7
CVE
CVE
added 2025/09/27 2:25 a.m.22 views

CVE-2025-10499

CVE-2025-10499 : The WordPress plugin Ninja Forms – The Contact Form Builder That Grows With You (up to version 3.12.0) is vulnerable to a Cross‑Site Request Forgery (CSRF) due to missing/incorrect nonce validation in the maybe_opt_in() function. This allows unauthenticated attackers to trigger e...

4.3CVSS4.9AI score0.00151EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2025/09/20 6:43 a.m.4 views

CVE-2025-9887 Custom Login And Signup Widget <= 1.0 - Cross-Site Request Forgery

The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzkadminclsw.php file. This makes it possible for unauthenticated attackers to change the...

4.3CVSS5AI score0.00124EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/09/11 12:0 a.m.5 views

PT-2025-37148

The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings page function. This makes it possible for unauthenticated attackers to modify...

4.3CVSS5.3AI score0.00151EPSS
Exploits0References4
CVE
CVE
added 2025/08/26 9:6 a.m.27 views

CVE-2025-6247

CVE-2025-6247 affects the WordPress Automatic Plugin for WordPress (

4.7CVSS6.1AI score0.00175EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/08/16 3:38 a.m.9 views

CVE-2025-7684 Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfmalbumsartwork.php' page. This makes it possible for unauthenticated attackers to update...

6.1CVSS0.00159EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/06/28 12:0 a.m.6 views

PT-2025-27292 · WordPress · Micropayments – Fans Paysite

Name of the Vulnerable Software and Affected Versions: The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress versions up to, and including, 3.2.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...

4.3CVSS6.8AI score0.00152EPSS
Exploits0References8
NVD
NVD
added 2025/06/14 9:15 a.m.16 views

CVE-2025-6063

The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject...

6.1CVSS0.00117EPSS
Exploits0References2
Rows per page
Query Builder