CVE-2025-14468 AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the ampthemeajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts...

EUVD-2023-54155

Malicious code in bioql PyPI...

EUVD-2023-54031

Malicious code in bioql PyPI...

CVE-2025-5924

The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpnbrodcastnotificationmessage function. This makes it possible for unauthenticated attacker...

CVE-2023-4284

The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-4284 Post Timeline < 2.2.6 - Reflected XSS

The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2023-28614 · WordPress · Post Timeline

Name of the Vulnerable Software and Affected Versions: The Post Timeline WordPress plugin versions prior to 2.2.6 Description: The issue is related to a Reflected Cross-Site Scripting that could be used against high privilege users, such as admin. This occurs because the plugin does not sanitise...

Post Timeline < 2.2.6 - Reflected XSS

Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...

Denial Of Service (DoS)

github.com/cloudfoundry/gorouter is vulnerable to denial of service. The vulnerability exists due to an improper validation of the nonce input, allowing a remote attacker to crash the application by sending a malicious route service request with an invalid nonce...

WordPress WPML Missing Authentication

One more vulnerability reported on March 02 and fixed in version 3.1.9: 4. Unauthenticated administrative functions An unauthenticated attacker may under certain conditions bypass WPML's nonce check and perform administrative functions. The administrative ajax functions are protected with nonces ...