1395 matches found
CVE-2025-14164
Technical details about CVE-2025-14164 are not publicly provided in the supplied documents. The initial description mentions a CSRF vulnerability in Quran Gateway for WordPress up to version 1.5, but no further technical specifics are available here.
PT-2025-52540
Name of the Vulnerable Software and Affected Versions WP DB Booster plugin versions up to and including 1.0.1 Description The WP DB Booster plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by a lack of nonce validation on the cleanup all AJAX action. An...
CVE-2025-66908
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormDatacontentType =...
CVE-2025-34434
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload ...
Mattermost has missing redirect URL validation
Mattermost versions 10.11.x = 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab...
CVE-2025-14399
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the downloadpluginbulk and downloadthemebulk functions. This makes it possibl...
kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption
A flaw was found in Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism SCRAM, which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the...
CVE-2025-12835
The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server...
CVE-2025-14462
The CVE-2025-14462 issue affects the Lucky Draw Contests plugin for WordPress (versions
CVE-2025-14462 Lucky Draw Contests <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update
The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forge...
CVE-2025-14162
The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugincreateoption' and 'BMLTPlugindeleteoption ' action. This makes it possible for unauthenticated attackers to...
PT-2025-51048
The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated...
WordPress plugin WP3D Model Import Viewer 代码问题漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...
EUVD-2025-202990
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's...
CVE-2025-14062
The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attacke...
EUVD-2025-202968
The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'suppthandledeletion' function. This makes it possible for unauthenticated attackers to delete arbitrary...
CVE-2025-14062
CVE-2025-14062 – Animated Pixel Marquee Creator (WordPress) is a CSRF vulnerability in all versions up to 1.0.0 caused by missing nonce validation on the marquee deletion function. This enables unauthenticated attackers to delete marquees via forged requests if the site administrator is fooled in...
CVE-2025-14161 Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update
The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefyembedoptionsupdate' settings update action. This makes it possible for unauthenticated attackers to update the...
CVE-2025-14165 Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's...
CVE-2025-14165
CVE-2025-14165 refers to the Kirim.Email WooCommerce Integration plugin for WordPress, with a CSRF vulnerability affecting all versions up to 1.2.9. The root cause is missing nonce validation on the plugin’s settings page, enabling unauthenticated attackers to modify API credentials and integrati...