CVE-2026-8902

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rcoptionspage function. This makes it possible for unauthenticated attackers to modify plugin settings...

CVE-2020-36853 10WebMapBuilder <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change

The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attacker...

EUVD-2021-23467

Malware in sbrugna...

EUVD-2016-1893

Malware in sbrugna...

EUVD-2022-30262

Malicious code in bioql PyPI...

EUVD-2022-35653

Malicious code in bioql PyPI...

EUVD-2024-43956

Malicious code in bioql PyPI...

CVE-2022-2123

The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails...

CVE-2018-11579

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wpajaxnopriv usage. Anyone can change the plugin's setting by simply sending a request with a...

WordPress WP Video Playlist plugin <= 1.1.2 - Settings Change vulnerability

Settings Change vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Video Playlist versions = 1.1.2...

CVE-2025-26899 WordPress Recapture for WooCommerce Plugin <= 1.0.43 - CSRF to Settings Change vulnerability

Cross-Site Request Forgery CSRF vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce recapture-for-woocommerce allows Cross Site Request Forgery.This issue affects Recapture for WooCommerce: from n/a through = 1.0.43...

CVE-2025-0935 Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

WordPress ARForms plugin <= 6.4.1 - Subscriber+ Plugin Settings Change vulnerability

Subscriber+ Plugin Settings Change vulnerability discovered by Dave Jong Patchstack in WordPress Plugin ARForms versions = 6.4.1...

CVE-2024-37106 WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability

Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6...

CVE-2024-37106 WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability

Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6...

CVE-2024-43250 WordPress Bit Form Pro plugin <= 2.6.4 - Authenticated Plugin Settings Change vulnerability

Incorrect Authorization vulnerability in Bit Apps Bit Form Pro bitformpro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Bit Form Pro: from n/a through 2.6.4...

WordPress Pray For Me plugin <= 1.0.4 - Cross Site Request Forgery (CSRF) Leading to Plugin Settings Change vulnerability

Cross Site Request Forgery CSRF Leading to Plugin Settings Change vulnerability discovered by Bob Matyas in WordPress Plugin Pray For Me versions = 1.0.4...

CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4...

CVE-2024-22156 WordPress SalesKing plugin <= 1.6.15 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15...

Ecwid Ecommerce Shopping Cart < 6.12.5 - Arbitrary Plugin Settings Change via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. PoC http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwidstorefrontsetpageslug=hehehehe Besides, you can disable the...