EUVD-2026-34055

The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...

CVE-2026-9732

The CVE concerns the WordPress plugin “EmergencyWP – Dead Man's switch & legacy deliverance” up to version 1.4.2. The root cause is missing or incorrect nonce validation in the form_settings_ui (settings save handler) function, enabling Cross-Site Request Forgery. This allows unauthenticated atta...

CVE-2026-9234 JTL-Connector for WooCommerce <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the adminpostsettingssavewoo-jtl-connector action handled by JtlConnectorAdmin::save and on the...

CVE-2026-6395

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

CVE-2025-14906

Summary: CVE-2025-14906 affects the WP Youtube Video Gallery plugin for WordPress. The WordPress plugin (WP Youtube Video Gallery) is vulnerable to Cross-Site Forgery (CSRF) in all versions up to and including 1.0 due to missing nonce verification on the wpYTVideoGallerySettingSave() function. Th...

PT-2026-4573

The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave function. This makes it possible for unauthenticated attackers to modify plugin...

CVE-2025-15378

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notelistclass' and 'popupdisplayeffectin' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input...

CVE-2025-15378 AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notelistclass' and 'popupdisplayeffectin' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input...

CVE-2024-9697

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweetsettingssave and tweetsettingsupdate functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated...

CVE-2021-24780

The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able...

PT-2024-29115 · WordPress · Cm Tooltip Glossary – Powerful Glossary Plugin

Name of the Vulnerable Software and Affected Versions: CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress versions up to, and including, 4.2.11 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation when saving settings. This...

CVE-2024-1308 WooCommerce Cloak Affiliate Links <= 1.0.33 - Missing Authorization to Unauthenticated Permalink Modification

The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalinksettingssave' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to modify the...

CVE-2024-1178

The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settingssave function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the...

PT-2024-17252 · WordPress · Sportspress

Name of the Vulnerable Software and Affected Versions: SportsPress – Sports Club & League Manager plugin for WordPress versions up to, and including, 2.7.17 Description: The issue allows unauthorized modification of data due to a missing capability check on the settings save function. This makes ...

WordPress Plugin SportsPress Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blogs on PHP and MySQL servers.WordPress plugin is an...

SportsPress – Sports Club & League Manager < 2.7.18 - Missing Authorization to Unauthenticated Event Permalink Update

Description The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settingssave function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to...

WP Club Manager – WordPress Sports Club Plugin < 2.2.11 - Missing Authorization to Unauthenticated Event Permalink Update

Description The WP Club Manager – WordPress Sports Club Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settingssave function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers ...

WordPress plugin WP Club Manager security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

DashMachine Code Injection Vulnerability

DashMachine is a web application bookmarking dashboard by Ross Mountjoy Individual Developer. A code injection vulnerability exists in DashMachine version 0.5-4, where the parameter valuetemplate in the source file /settings/saveconfig can lead to code injection...

PT-2023-32808 · Rmountjoy92 · Dashmachine

Name of the Vulnerable Software and Affected Versions: rmountjoy92 DashMachine versions 0.5-4 Description: A problematic issue was found in the Config Handler component, specifically in the /settings/save config file. The manipulation of the value template argument leads to code injection. The...