1242 matches found
CVE-2026-9731
The CVE concerns the WordPress plugin Wp Js Detect (versions up to 1.0.9). Affected component: plugin_settings in the plugin, where missing/incorrect nonce validation enables a Cross-Site Request Forgery (CSRF) . Unauthenticated attackers could forge requests to update the plugin’s settings (wp_n...
NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution
NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php. id: CVE-2024-46506 info: name:...
CVE-2026-11562
The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings...
CVE-2026-11562 WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update
The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings...
CVE-2026-11562
CVE-2026-11562 : The WS Form LITE WordPress plugin is vulnerable prior to version 1.11.8 due to a missing capability check on a settings-update action. This allows authenticated users with subscriber-level access and above to modify the plugin’s settings. Impact is limited to settings modificatio...
CVE-2026-6292 MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to and including 1.0. This is due to a completely broken nonce validation in the entermpclploginoptions function, which contains an inverted check if wpverifynonce... return false;...
CVE-2026-6292
CVE-2026-6292 affects the WordPress plugin MP Customize Login Page (versions ≤ 1.0). The issue is a CSRF vulnerability caused by a broken nonce validation in enter_mpclp_login_options() (inverted wp_verify_nonce() check and missing action parameter) and a settings-update handler hooked on init wi...
CVE-2026-9724 MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordeskadminhome function. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update
The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...
CVE-2026-9721
CVE-2026-9721 affects the Book a Room Event Calendar plugin for WordPress (versions up to 1.9). The vulnerability is a Cross-Site Request Forgery due to missing nonce validation on the settings_form()/update_settings() flow. The plugin’s settings page accepts POST actions and persists configurati...
WordPress Bulk SEO Image plugin <= 1.1 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by nishida azuka in WordPress Plugin Bulk SEO Image versions = 1.1...
WordPress MotorDesk plugin <= 1.1.2 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by swat in WordPress Plugin MotorDesk versions = 1.1.2...
WordPress Book a Room Event Calendar plugin <= 1.9 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by swat in WordPress Plugin Book a Room Event Calendar versions = 1.9...
WordPress MP Customize Login Page plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin MP Customize Login Page versions = 1.0...
CVE-2026-8910
The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...
CVE-2026-10553 jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotesoptionssubpanel function. This makes it possible for unauthenticated attackers to update th...
CVE-2026-10553 jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotesoptionssubpanel function. This makes it possible for unauthenticated attackers to update th...
CVE-2026-8910
The CVE refers to the WordPress plugin WP Emoticon Rating (versions
EUVD-2026-35313
The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...
CVE-2026-8902
CVE-2026-8902 affects the WordPress plugin “AJAX Report Comments” (versions ≤ 2.0.4). The vulnerability stems from missing or incorrect nonce validation on the rc_options_page function, enabling Cross‑Site Request Forgery. This allows unauthenticated attackers to forge requests and modify plugin ...