CVE-2026-2446

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options such as defaultrole etc and create arbitrary admin users...

EUVD-2021-11826

Malware in sbrugna...

EUVD-2021-2062

Malware in sbrugna...

PT-2024-37476 · WordPress · Pz Frontend Manager

Name of the Vulnerable Software and Affected Versions: PZ Frontend Manager WordPress plugin versions prior to 1.0.6 Description: The issue concerns a lack of CSRF checks in certain areas, potentially allowing attackers to trick logged-in users into performing unintended actions through CSRF...

ENL Newsletter <= 1.0.1 - Campaign Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack PoC Make an admin open a URL like where is a valid ID: http://example.com/wp-admin/admin.php?page=enl-campaigns=campaign-delete=...

PT-2023-25148 · WordPress · Ftp Access

Name of the Vulnerable Software and Affected Versions: FTP Access WordPress plugin versions 1.0 and earlier Description: The issue concerns a lack of authorization and CSRF checks when updating settings in the plugin, along with missing sanitization and escaping. This allows any authenticated use...

PT-2023-16356 · WordPress · Rest Api To Miniprogram

Name of the Vulnerable Software and Affected Versions: REST API TO MiniProgram WordPress plugin versions through 4.6.1 Description: The issue concerns a lack of authorization and CSRF checks in an AJAX action within the REST API TO MiniProgram WordPress plugin. This allows any authenticated users...

CVE-2022-4872

The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no'...

CVE-2022-4368 WP CSV <= 1.8.0.0 - Reflected XSS via CSV Import

The WP CSV WordPress plugin through 1.8.0.0 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leading to a Reflected Cross-Site Scripting...

CVE-2022-4124

The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them...

CVE-2022-3536

The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, an...

WordPress plugin Role Based Pricing for WooCommerce 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on servers running PHP and MySQL. A code issue vulnerability exists in the...

PT-2022-6789 · Click5 · Sitemap

Name of the Vulnerable Software and Affected Versions: Sitemap by click5 WordPress plugin versions prior to 1.0.36 Description: The issue is related to the lack of authorization and CSRF checks when updating options via a REST endpoint, and the failure to ensure that the option to be updated...

CVE-2021-25073

The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack...

Cross site request forgery (csrf)

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawktosetwidget and tawktoremovewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users including simple subscribers to change the...

VulnCheck KEV: CVE-2021-25032

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a...

Two Way Chat < 3.1.5 - Multiple CSRF

The plugin does not have CSRF checks in place in some of its functions, allowing attacker to make logged in admin perform unwanted actions, such as update the plugin's settings. PoC...

CVE-2021-24639

The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgfajaxemptydir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server...

CVE-2021-24174

The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups...