EUVD-2026-14007

The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to...

EUVD-2026-14191

The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...

EUVD-2026-14006

The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cptpluginoptions function. This makes it possible for unauthenticated attackers to update the plugin settings including...

CVE-2026-4143

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...

CVE-2026-3478

The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the reduxp AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint wpajaxnoprivreduxp that is accessible to...

CVE-2026-1392

The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...

EUVD-2026-13980

The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...

CVE-2026-1648

The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curldata' REST API endpoint. This makes it possible for...

CVE-2026-1648

The CVE-2026-1648 entry concerns the WordPress Performance Monitor plugin (versions up to 1.0.6). It describes a Server-Side Request Forgery (SSRF) in the /wp-json/performance-monitor/v1/curl_data endpoint caused by insufficient validation of the 'url' parameter. This allows unauthenticated attac...

CVE-2026-3331

The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourtyslideroptionspage function. This makes it possible for unauthenticated attackers to modify...

CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...

CVE-2026-3332

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...

CVE-2026-2290

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the...

CVE-2026-2290 Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the...

CVE-2026-1390

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdownsettingscontent function. This makes it possible for unauthenticated attackers to update the plugin settings...

WordPress plugin Performance Monitor 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension that can ...

ApiFlow 代码问题漏洞

ApiFlow is an open-source API development collaboration platform developed by ApiFlow. Version 0.9.7 of ApiFlow contains a code vulnerability. This vulnerability stems from a server-side request forgery issue in the validateUrlSecurity function within the URL Validation Handler component’s...

WordPress plugin Content Syndication Toolkit 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Neos Connector for Fakturama 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-26831

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the...