Lucene search
K

245 matches found

NVD
NVD
added 2026/03/11 2:16 a.m.4 views

CVE-2026-2324

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reloadpreview function. This makes it possible for...

6.1CVSS0.00095EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/10 6:31 p.m.4 views

EUVD-2026-10474

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack...

4.3CVSS5.8AI score0.00124EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/10 6:0 a.m.3 views

CVE-2026-1508 Court Reservation < 1.10.9 - Event Deletion via CSRF

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack...

5.8AI score0.00124EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/20 4:48 p.m.24 views

CVE-2026-27503 SVXportal <= 2.5 admin/log.php Search Reflected XSS

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute,...

6.1CVSS0.00155EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/02/18 12:0 a.m.5 views

CVE-2025-70146

Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations e.g.,adding records, deleting records via direct HTTP requests to affected endpoints without a...

9.1CVSS5.6AI score0.00452EPSS
Exploits1References3
CVE
CVE
added 2026/02/18 12:0 a.m.10 views

CVE-2025-70146

CVE-2025-70146 affects ProjectWorlds Online Time Table Generator 1.0. Multiple administrative action scripts under /admin/ lack authentication, enabling remote attackers to perform unauthorized admin operations (e.g., add/delete records) via direct HTTP requests without a valid session. The vulne...

9.1CVSS5.6AI score0.00452EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/24 7:26 a.m.6 views

CVE-2026-1081

The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categorie...

4.3CVSS5.8AI score0.00155EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/24 7:26 a.m.4 views

CVE-2026-1081 Set Bulk Post Categories <= 1.1 - Cross-Site Request Forgery to Bulk Post Category Update

The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categorie...

4.3CVSS5.8AI score0.00155EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/14 12:0 a.m.7 views

PT-2026-2811

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted...

4.3CVSS5.5AI score0.00102EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.9 views

PT-2026-1761

Name of the Vulnerable Software and Affected Versions User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin versions prior to 4.4.9 Description The plugin is susceptible to a Cross-Site Request Forgery CSRF issu...

5.4CVSS6.5AI score0.00123EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/01/09 9:26 a.m.8 views

CVE-2023-4161

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can tric...

4.3CVSS6.7AI score0.00263EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.6 views

PT-2026-1592

Name of the Vulnerable Software and Affected Versions MTCaptcha WordPress Plugin versions prior to 2.7.3 Description The software is susceptible to Cross-Site Request Forgery CSRF due to missing or incorrect nonce validation on the settings update functionality. An unauthenticated attacker could...

4.3CVSS6.3AI score0.0014EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/01/05 5:44 p.m.26 views

CVE-2025-59158 Coolify has Stored XSS in Project Name

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting XSS attack in the project creation workflow. An authenticated user with low privileges e.g....

9.4CVSS0.00474EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/12/30 3:13 p.m.8 views

Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”

!NOTE Message from the Pterodactyl team: The Pterodactyl team has evaluated this as a minor security issue but does not consider it something that should be assigned a CVE, nor does it require active patching by vulnerable systems. This issue is entirely self-inflicted and requires an...

6AI score
Exploits0References3Affected Software1
NVD
NVD
added 2025/12/12 4:15 a.m.18 views

CVE-2025-14160

The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendl...

4.3CVSS0.00128EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/12/05 3:32 p.m.23 views

CVE-2025-14089 Himool ERP AdminActionViewSet update_account improper authorization

A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function updateaccount of the file /api/admin/updateaccount/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is public...

6.5CVSS0.00209EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/12/05 3:32 p.m.2 views

CVE-2025-14089 Himool ERP AdminActionViewSet update_account improper authorization

A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function updateaccount of the file /api/admin/updateaccount/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is public...

6.5CVSS6.2AI score0.00209EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/05 12:0 a.m.7 views

PT-2025-49250

A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update account of the file /api/admin/update account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is...

6.5CVSS6.5AI score0.00209EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/11/12 3:47 a.m.18 views

CVE-2025-12590

The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it...

6.1CVSS4.8AI score0.00126EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/11 6:30 a.m.7 views

EUVD-2025-60952

The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings...

4.3CVSS5.2AI score0.00131EPSS
Exploits0References4
Rows per page
Query Builder