WordPress Newsletter Popup plugin <= 1.2 - Subscriber Deletion via CSRF vulnerability

Subscriber Deletion via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin Newsletter Popup versions = 1.2...

CVE-2025-14441

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE /subscribers REST API endpoint in all versions up to, and including, 2.2.0. This is due to the permissioncallback only validating wprest nonce without checking user...

CVE-2025-14441

The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE /subscribers REST API endpoint in all versions up to, and including, 2.2.0. This is due to the permissioncallback only validating wprest nonce without checking user...

CVE-2025-10691

The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the showeditsubpage function. This makes it possible for unauthenticated attackers to delete arbitrary...

CVE-2025-10691 Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion

The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the showeditsubpage function. This makes it possible for unauthenticated attackers to delete arbitrary...

CVE-2025-10691

The CVE-2025-10691 entry concerns the WordPress Easy Email Subscription plugin (versions up to and including 1.3). The vulnerability is a Cross-Site Request Forgery caused by missing or incorrect nonce validation in the show_editsub_page() function, enabling unauthenticated attackers to delete ar...

EUVD-2025-37972

The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the showeditsubpage function. This makes it possible for unauthenticated attackers to delete arbitrary...

CVE-2025-10691 Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion

The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the showeditsubpage function. This makes it possible for unauthenticated attackers to delete arbitrary...

EUVD-2023-59172

Malicious code in bioql PyPI...

CVE-2023-6696

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check...

PT-2024-15054 · WordPress · The Popup Builder

Name of the Vulnerable Software and Affected Versions: The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress versions up to, and including, 4.3.1 Description: The issue arises from a missing capability check on several functions, allowing unauthorize...

CVE-2024-3642

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack...

CVE-2024-3642

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack...

CVE-2024-3642 Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack...

CVE-2024-3642 Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack...

WordPress LetterPress plugin <= 1.2.2 - Subscriber Deletion via CSRF vulnerability

Subscriber Deletion via CSRF vulnerability discovered by SANU P.L in WordPress Plugin LetterPress versions = 1.2.2...

Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

Description The plugin does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack PoC Make an admin open a link where is a valid user: http://example.com/wp-admin/admin.php?page=wpnewslettershowlocalrecord=delete=...

Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

Description The plugin does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack Make an admin open a link where is a valid user:...

LetterPress <= 1.2.2 - Subscriber Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers Make a logged in admin open an HTML file containing:...

CVE-2023-6980

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers...