371 matches found
PT-2025-38102
Name of the Vulnerable Software and Affected Versions: USS Upyun plugin for WordPress versions prior to 1.5.1 Description: The USS Upyun plugin for WordPress is susceptible to a Cross-Site Request Forgery issue. This is due to missing or incorrect nonce validation within the uss setting page...
CVE-2025-8481
The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfeinstallactivaterswpbsonly function. This makes it possible for unauthenticated...
CVE-2025-9622
The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on multiple administrative actions in the Settings class. This makes it possible for...
CVE-2025-9631
The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatsetajax function. This makes it possible for unauthenticated attackers to trigger automatic...
CVE-2025-8481 Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery
The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfeinstallactivaterswpbsonly function. This makes it possible for unauthenticated...
CVE-2025-9623 Admin in English with Switch <= 1.1 - Cross-Site Request Forgery
The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enableeng function. This makes it possible for unauthenticated attackers to modify administrator...
CVE-2025-9635
CVE-2025-9635 affects the Analytics Reduce Bounce Rate plugin for WordPress (versions up to 2.3). The flaw is a Cross-Site Request Forgery due to missing or incorrect nonce validation on the unbounce_options function, enabling unauthenticated attackers to modify Google Analytics tracking settings...
CVE-2025-9635 Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery
The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounceoptions function. This makes it possible for unauthenticated attackers to modify Google...
PT-2025-37145
The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. This is due to missing or incorrect nonce validation on the check integration function. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2025-9622 WP Blast | SEO & Performance Booster <= 1.8.6 - Cross-Site Request Forgery to Cache Clearing
The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on multiple administrative actions in the Settings class. This makes it possible for...
CVE-2025-9622
The CVE-2025-9622 entry concerns WP Blast | SEO & Performance Booster for WordPress (WPBlast) with Cross-Site Request Forgery in versions up to 1.8.6 due to missing/incorrect nonce validation in the Settings class. Attack scenario: unauthenticated attackers can trigger cache purging, sitemap clea...
CVE-2025-9888
CVE-2025-9888 affects the Maspik – Ultimate Spam Protection WordPress plugin. According to connected sources, versions up to and including 2.5.6 are vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation in the clear_log function. This (unauthenticated) vulnerabilit...
PT-2025-37024
Name of the Vulnerable Software and Affected Versions: Maspik – Ultimate Spam Protection plugin for WordPress versions through 2.5.6 Description: The Maspik – Ultimate Spam Protection plugin for WordPress is susceptible to a Cross-Site Request Forgery issue. This is due to insufficient or incorre...
GHSA-RF24-WG77-GQ7W listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
Summary Cross-Site Request Forgery CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering such as sending a link via email or chat, an attacker may trick the users of a web...
CVE-2025-9374 Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery
The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can...
CVE-2025-8102 Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the eddsendwpdisconnect and eddsendwpremoteinstall functions. This makes it possible for unauthenticated attackers t...
CVE-2025-7683
The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2025-7688
The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2025-7683
The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2025-7686 weichuncai(WP伪春菜) <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The weichuncaiWP伪春菜 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject...