CVE-2025-9621 WidgetPack Comment System <= 1.6.1 - Cross-Site Request Forgery

The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmtsync action in the wpcmtrequesthandler function. This makes it possible for unauthenticated...

CVE-2025-52790

CVE-2025-52790 : Cross-Site Request Forgery (CSRF) vulnerability in the WP-DownloadCounter WordPress plugin allows Stored XSS for WP-DownloadCounter versions &lt;= 1.01. The NVD entry lists CVSS 3.1 with base score 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Exploitation status is not provided in ...

CVE-2025-23808 WordPress Custom List Table Example Plugin <=1.4.1 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Dutch van Andel Custom List Table Example custom-list-table-example allows Reflected XSS.This issue affects Custom List Table Example: from n/a through = 1.4.1...

CVE-2024-12526

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.0. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-9588

The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'wpaftoptionpage' function. This makes it possible for unauthenticated attackers to add and...

CVE-2024-6720 Light Poll <= 1.0.0 - Poll Answers Deletion via CSRF

The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-6412 HTML Forms – Simple WordPress Forms Plugin < 1.3.34 - Bulk Delete via CSRF

The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-5034 SULly < 4.3.1 - Plugin Reset via CSRF

The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-2235

The CVE-2024-2235 entry concerns the Himer WordPress theme pre-2.1.1 lacking CSRF checks in multiple areas, enabling CSRF-based vote manipulation on polls (including restricted ones). Affected product: Himer WordPress theme

CVE-2024-2405 Float menu < 6.0.1 - Menu Deletion via CSRF

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack...

CVE-2024-32958 WordPress Slash Admin plugin <= 3.8.1 - CSRF to XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in Giorgos Sarigiannidis Slash Admin allows Cross-Site Scripting XSS.This issue affects Slash Admin: from n/a through 3.8.1...

WordPress Decode theme <= 3.15.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Dhabaleshwar Das Patchstack Alliance in WordPress Theme Decode versions = 3.15.3...

CVE-2023-51416 WordPress EnvíaloSimple plugin <= 2.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in EnvialoSimple EnvíaloSimple.This issue affects EnvíaloSimple: from n/a through 2.2...

CVE-2022-3097 LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF

The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections...

WordPress All in One SEO Pack Plugin < 4.2.4 CSRF Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aioseo:allinoneseo"; if description...

CVE-2022-2241 Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF

The Featured Image from URL FIFU WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, ...

CVE-2021-24642 Scroll Baner <= 1.0 - CSRF to RCE

The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE via a file upload as well as XSS...

CVE-2021-24466

The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this coul...

CVE-2016-10989

The leenkme plugin before 2.6.0 for WordPress has wp-admin/admin.php?page=leenkmefacebook CSRF...

CVE-2016-10945

The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF...