CVE-2026-8379

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating...

CVE-2023-4161

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can tric...

CVE-2023-4629

The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the saveconfig function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipageconfig' option via a forged request granted they...

CVE-2025-14465 Sticky Action Buttons <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update

The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabsoptionspageformsubmit function. This makes it possible for unauthenticated attackers to update plug...

CVE-2024-4088

The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disablefeassets function in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with...

CVE-2024-12219

The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request...

CVE-2024-1375 Event post <= 5.9.10 - Cross-Site Request Forgery

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing nonce check on the savebulkdatas function in all versions up to, and including, 5.9.10. This makes it possible for unauthenticated attackers to update postmetadata via a forged request, granted...

CVE-2024-1375

CVE-2024-1375 affects the WordPress Event post plugin. A missing nonce check in the save_bulkdatas function allows unauthorized bulk updates to post_meta_data in all versions up to 5.9.5. An unauthenticated attacker can exploit this by forging requests, requiring that a logged-in user be tricked ...

PT-2024-17987 · WordPress · Event Post Plugin For Wordpress

Name of the Vulnerable Software and Affected Versions: Event post plugin for WordPress versions up to, and including, 5.9.5 Description: The issue allows unauthorized bulk metadata updates due to a missing nonce check on the save bulkdatas function. This enables unauthenticated attackers to updat...

CVE-2024-4088 Gutenberg Blocks and Page Layouts – Attire Blocks <= 1.9.2 - Missing Authorization

The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disablefeassets function in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with...

Cross site request forgery (csrf)

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can tric...

CVE-2023-4161 WooCommerce PDF Invoice Builder <= 1.2.90 - Cross-Site Request Forgery to Custom Field Creation

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can tric...

CVE-2023-3977

Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handleinstallation function that is called via the inisevinstallation AJAX aciton in various versions. This makes it possible for...

WordPress Plugin uListing 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

Cross site request forgery (csrf)

Form block is a wordpress plugin designed to make form creation easier. Versions prior to 1.0.2 are subject to a Cross-Site Request Forgery due to a missing nonce check. There is potential for a Cross Site Request Forgery for all form blocks, since it allows to send requests to the forms from any...

PT-2023-22813 · WordPress · Form Block

Name of the Vulnerable Software and Affected Versions: Form block versions prior to 1.0.2 Description: The Form block WordPress plugin is subject to a Cross-Site Request Forgery CSRF due to a missing nonce check. This allows requests to be sent to forms from any website without the user's...

PT-2022-15298 · Gallery · Gallery

Name of the Vulnerable Software and Affected Versions: Gallery for Social Photo versions up to, and including 1.0.0.27 Description: The issue is related to Cross-Site Request Forgery due to the failure to properly check for the existence of a nonce in the gifeed duplicate feed function. This allo...

CVE-2022-1749

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...

Cross site request forgery (csrf)

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...

CVE-2022-1749 WPMK Ajax Finder <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...