CVE-2026-2382 FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'id' Parameter

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpwfsgetfile' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2025-25399 · WordPress · Auto Attachments

Name of the Vulnerable Software and Affected Versions: Auto Attachments plugin for WordPress versions up to, and including, 1.8.5 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...

CVE-2025-4580 File Provider <= 1.2.3 - Item Deletion via CSRF

The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2025-5055

The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-8094

The CVE-2024-8094 entry identifies a CSRF flaw in the Ntz Antispam WordPress plugin (versions up to 2.0e) where the settings update flow lacks CSRF protection. Root cause: missing CSRF check when updating plugin settings. Impact: a CSRF attack could cause a logged-in admin to change settings. Pub...