Lucene search
K

1244 matches found

Cvelist
Cvelist
added 2026/05/12 7:48 a.m.39 views

CVE-2026-6932 Woo Commerce Minimum Weight <= 3.0.1 - Cross-Site Request Forgery via Settings Update Form

The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify t...

4.3CVSS0.00132EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.39 views

CVE-2026-4663

...

0.00075EPSS
Exploits0
CVE
CVE
added 2026/05/12 7:48 a.m.22 views

CVE-2026-4663

The CVE-2026-4663 entry is linked to the WordPress payment plugin issue described by EUVD-2026-29394: the iPOSpays Gateways WC plugin for WordPress has a Missing Authorization vulnerability up to version 1.3.7. The root cause is a REST API endpoint exposed at /wp-json/ipospays/v1/save_settings wh...

5.8AI score0.00075EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.8 views

CVE-2026-7561 Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

6.1CVSS5.7AI score0.0012EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.42 views

CVE-2026-7561 Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

6.1CVSS0.0012EPSS
Exploits0References7
Patchstack
Patchstack
added 2026/05/11 7:5 p.m.14 views

WordPress WP-Redirection plugin <= 1.0.3 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin WP-Redirection versions = 1.0.3...

4.3CVSS5.8AI score0.00132EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/05 2:26 a.m.45 views

CVE-2026-6700 DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS0.00128EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/05 2:26 a.m.4 views

CVE-2026-6700 DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References5
CVE
CVE
added 2026/05/05 2:26 a.m.17 views

CVE-2026-6700

The DX Sources plugin for WordPress is affected up to version 2.0.1 by a Cross-Site Request Forgery due to missing or incorrect nonce validation in the settings_page_build function. This allows unauthenticated attackers to entice a logged-in administrator to submit a forged request that can modif...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/05 2:26 a.m.54 views

CVE-2026-6701 addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

4.3CVSS0.00158EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.20 views

PT-2026-36960

Name of the Vulnerable Software and Affected Versions Publish 2 Ping.fm plugin for WordPress versions prior to 1.2 Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This allows unauthenticated...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References13
Patchstack
Patchstack
added 2026/05/04 2:6 p.m.10 views

WordPress DX Sources plugin <= 2.0.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin DX Sources versions = 2.0.1...

4.3CVSS5.8AI score0.00128EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/04/23 4:45 p.m.8 views

WordPress WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes plugin <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Books Gallery versions = 4.8.0...

5.3CVSS5.8AI score0.00323EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/22 9:16 a.m.7 views

CVE-2026-4133

The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage function which processes settings updates. The form at line 314 does not include a wpnoncefield,...

4.3CVSS0.00156EPSS
Exploits0References5
NVD
NVD
added 2026/04/22 9:16 a.m.6 views

CVE-2026-4140

The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the niorderexportaction AJAX handler function. The handler processes settings updates when the 'page' parameter is...

4.3CVSS0.00156EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.30 views

CVE-2026-6294 Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page

The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplayoption function, which handles the plugin settings page. The settings form does not include a wpnoncefield, and...

4.3CVSS0.002EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.31 views

CVE-2026-4138 DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

4.3CVSS0.00193EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.5 views

CVE-2026-6294 Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page

The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplayoption function, which handles the plugin settings page. The settings form does not include a wpnoncefield, and...

4.3CVSS5.8AI score0.002EPSS
Exploits0References5
CVE
CVE
added 2026/04/22 7:45 a.m.15 views

CVE-2026-6294

CVE-2026-6294 concerns the WordPress plugin Google PageRank Display (versions ≤ 1.4). The root cause is missing nonce validation in gpdisplay_option(), with the settings form lacking wp_nonce_field() and the handler not calling check_admin_referer() or wp_verify_nonce() before processing POST req...

4.3CVSS5.8AI score0.002EPSS
Exploits0References5
CVE
CVE
added 2026/04/22 7:45 a.m.19 views

CVE-2026-4138

The CVE-2026-4138 entry concerns the DX Unanswered Comments plugin for WordPress (versions up to 1.7). A Cross-Site Request Forgery vulnerability arises from missing nonce validation on the plugin’s settings form (dxuc-unanswered-comments-admin-page.php), enabling unauthenticated attackers to mod...

4.3CVSS5.7AI score0.00193EPSS
Exploits0References9
Rows per page
Query Builder