WordPress LTL Freight Quotes - R+L Carriers Edition plugin <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability

WordPress LTL Freight Quotes - R+L Carriers Edition plugin = 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Poli - CMC Global in WordPress Plugin LTL Freight Quotes – R+L Carriers Edition versions = 3.3.13...

CVE-2025-13521 WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin...

CVE-2025-12413 Social Media WPCF7 Stop Words <= 1.1.3 - Cross-Site Request Forgery to Settings Update

The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions function. This makes it possible for unauthenticated attackers to update the...

CVE-2025-1440 Advanced iFrame <= 2024.5 - Unauthenticated Settings Update

The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aipmapurlcallback function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the...

WordPress Advanced iFrame plugin <= 2024.5 - Unauthenticated Settings Update vulnerability

Unauthenticated Settings Update vulnerability discovered by Peter Thaleikis in WordPress Plugin Advanced iFrame versions = 2024.5...

NetAlertX 24.9.12 Code Execution

NetAlertX version 24.9.12 suffers from a code execution vulnerability. ============================================================================================================================================= | Title : NetAlertX 24.9.12 PHP Code Injection Vulnerability | | Author : indoushka ...

CVE-2020-36731

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

WordPress GoHero Store Customizer for WooCommerce plugin <= 3.5 - Missing Authorization to Unuthenticated Settings Update vulnerability

Missing Authorization to Unuthenticated Settings Update vulnerability discovered by incognito in WordPress Plugin Download Personalized WooCommerce Cart Page versions = 3.5...

WordPress Disable User Login plugin <= 1.0.1 - Unauthenticated Settings Update vulnerability

Unauthenticated Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Disable User Login plugin versions = 1.0.1. Solution No patched version available...

OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass

The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address POST / HTTP/1.1...

WP Shop Original <= 3.9.6 - Unauthenticated Settings Update

The plugin does not have authorisation check when updating its settings, which could allow unauthenticated attackers to update them...