CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 3 days ago•5 views

CVE-2026-8422 Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update

Cvelist•added 3 days ago•36 views

CVE-2026-9730 Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update

The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmzcommentsettingssave function. This makes it possible for unauthenticated attackers to modify...

4.3CVSS0.00012EPSS

Exploits0References4

CVE•added 3 days ago•8 views

CVE-2026-8422

CVE-2026-8422 concerns the WordPress plugin Remove meta boxes per user role (versions up to and including 1.01). The vulnerability stems from missing or incorrect nonce validation on the remove-meta-boxes-per-user-role page, enabling CSRF. This could allow unauthenticated attackers to modify or r...

ATTACKERKB•added 3 days ago•4 views

CVE-2026-9730

4.3CVSS5.7AI score0.00012EPSS

Exploits0References5

ATTACKERKB•added 3 days ago•7 views

CVE-2026-8422

ATTACKERKB•added 3 days ago•5 views

Exploits0References8

CVE-2026-9723

The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the...

4.3CVSS5.7AI score0.00012EPSS

Exploits0References5

Positive Technologies•added 3 days ago•5 views

PT-2026-45715

Name of the Vulnerable Software and Affected Versions Remove NoFollow Commenter URL versions prior to 1.1 Description The plugin is subject to Cross-Site Request Forgery due to missing or incorrect nonce validation in the gmz comment settings save function. This allows unauthenticated attackers t...

4.3CVSS5.7AI score0.00012EPSS

Positive Technologies•added 3 days ago•6 views

PT-2026-45709

Github Security Blog•added last week•17 views

Exploits0References8

Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords

Summary modules/registration.php mode sendlogin regenerates a random password for useruuidassigned, stores its bcrypt hash in admusers.usrpassword, and emails the cleartext to that user. Every other state-changing mode in the same file assignmember, assignuser, deleteuser, createuser calls...

5.7AI score

Exploits0References2Affected Software1

Positive Technologies•added 2026/05/29 12:0 a.m.•11 views

PT-2026-45039

Summary modules/sso/clients.php validates an adm csrf token on every state-changing branch except enable. The enable case loads the SAML or OIDC client by UUID, calls $client-enable$enabled, and persists the new state with no token check. Because the action is reachable via plain GET parameters, ...

5.4CVSS5.8AI score

Exploits0References3

NVD•added 2026/05/28 8:16 a.m.•11 views

CVE-2026-6455

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the processbulkaction function, the...

8.1CVSS0.00039EPSS

Exploits0References10

Vulnrichment•added 2026/05/28 5:30 a.m.•8 views

CVE-2026-7533 Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handleoauthredirect function, which is registered on the admininit hook and processes Square OAuth tokens from ...

4.3CVSS5.8AI score0.00015EPSS

Exploits0References8

CVE•added 2026/05/27 2:14 p.m.•9 views

CVE-2026-9674

CVE-2026-9674 is a CSRF vulnerability in Jenkins Multijob Plugin (versions including 662.vd2e0001f6b_b_d and earlier) that allows an attacker to resume failed Multijob builds. The NVD/NVD-derived data attributes a CVSS v3.1 base score of 4.3 (Medium) with network attack vector, low attack complex...

Exploits0References1Affected Software1

EUVD•added 2026/05/27 2:14 p.m.•9 views

EUVD-2026-32519

A cross-site request forgery CSRF vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6bbd and earlier allows attackers to resume failed Multijob builds...

ATTACKERKB•added 2026/05/27 2:14 p.m.•9 views

Exploits0References1

CVE-2026-9674

A cross-site request forgery CSRF vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6bbd and earlier allows attackers to resume failed Multijob builds...

AlpineLinux•added 2026/05/27 2:14 p.m.•10 views

Exploits0References2

CVE-2026-9674

A cross-site request forgery CSRF vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6bbd and earlier allows attackers to resume failed Multijob builds...