CVE-2025-14441

The CVE CVE-2025-14441 affects the Popupkit/Popup Builder WordPress plugin, where the DELETE /subscribers REST endpoint allows arbitrary subscriber data deletion due to a permission-one-check flaw: permission_callback validates only wp_rest nonce and not user capabilities. Exploitation is possibl...

CVE-2025-10691

The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the showeditsubpage function. This makes it possible for unauthenticated attackers to delete arbitrary...

PT-2025-45172

Name of the Vulnerable Software and Affected Versions Easy Email Subscription plugin for WordPress versions up to and including 1.3 Description The Easy Email Subscription plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by a lack of, or incorrect, nonce validatio...

CVE-2024-3590

The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers...

Cross site request forgery (csrf)

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers...