CVE-2026-34216

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

CVE-2022-4363

The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack...

CVE-2024-6852

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-1777

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated attackers t...

CVE-2018-18416

LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the sitename parameter to the admin/settings/update URI...

CVE-2018-18416

LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the sitename parameter to the admin/settings/update URI...

BigTree-CMS 4.2.x < 4.2.17 Multiple Vulnerabilities

Binary data 700143.prm...

CVE-2017-6917

CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed...

Cross site request forgery (csrf)

CSRF exists in BigTree CMS 4.1.18 with the nav-social parameter to the admin/settings/update/ page. The Navigation Social can be changed...

CVE-2017-6918

CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Navigation Social can be changed...