105 matches found
CVE-2022-2541
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the /app/sites/ajax/actions/keywordsave.php file that is called via the doAjax function. This makes i...
CVE-2022-2039
The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupportisettings function found in the /livesupporti.php file. This makes it possible for unauthenticated attacke...
CVE-2020-36840
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wpajaxrouteurl function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers t...
CVE-2024-13510
The CVE-2024-13510 entry covers the WordPress ShopSite plugin (versions up to 1.5.10) vulnerable to Cross-Site Request Forgery, enabling unauthenticated attackers to update settings and inject malicious scripts via forged requests that trick an admin into performing an action. Technical details a...
CVE-2024-12076 Target Video Easy Publish <= 3.8.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the resynccarousel, seeksnapshot, uploadedcc, and removecc functions. This makes it possible for...
CVE-2024-13444
The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via...
CVE-2024-12005
The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the wpbibtexoptionpage function. This makes it possible for unauthenticated attackers to inject malicious web scripts...
CVE-2024-12291
CVE-2024-12291 : The ViewMedica 9 WordPress plugin is vulnerable to Cross-Site Request Forgery that leads to a Reflected Cross-Site Scripting condition in all versions up to 1.4.15. The root cause is missing or incorrect nonce validation on a function, enabling unauthenticated attackers to induce...
CVE-2024-11975 Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Reflected Cross-Site Scripting
The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpnonce' parameter in all versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...
CVE-2024-11812 Wtyczka SeoPilot dla WP <= 3.3.091 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the SeoPilotAdminOptions function. This makes it possible for unauthenticated attackers to update...
CVE-2024-12220
The SMS for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forg...
CVE-2024-9872
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitasaveuserdatacallback function in all versions up to, and including, 4.5.1. This makes it possible for authenticated...
CVE-2024-11336
The Clickbank WordPress Plugin Storefront plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the csmenu page. This makes it possible for unauthenticated attackers to update settings a...
CVE-2024-11342
The Skt NURCaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing or incorrect nonce validation in the skt-nurc-admin.php file. This makes it possible for unauthenticated attackers to update settings and inject...
CVE-2024-11342
CVE-2024-11342 pertains to the WordPress plugin Skt NURCaptcha. Affected versions: all up to and including 3.5.0. Root cause: missing/incorrect nonce validation in skt-nurc-admin.php, enabling Cross-Site Request Forgery. Impact: unauthenticated attackers could trick a site administrator into upda...
CVE-2024-10726 Friendly Functions for Welcart <= 1.2.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...
CVE-2024-10726 Friendly Functions for Welcart <= 1.2.4 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...
CVE-2024-10922
CVE-2024-51647 describes a CSRF to Stored XSS vulnerability in the WordPress plugin Chaser324 Featured Posts Scroll, affecting versions up to 1.25. The issue enables stored XSS via CSRF in the plugin’s Featured Posts Scroll component. Public-facing details in connected documents confirm the affec...
CVE-2024-10922
...
CVE-2024-9434
The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the ontranslateoptionspage function. This makes it possible for unauthenticated attackers to inject...