Cross site request forgery (csrf)

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...

CVE-2022-1918

The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing nonce validation on the plugintoolbarcomparte page. This makes it possible for unauthenticated attackers to update the plugins settings and inject...

CVE-2022-1761

The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more...

CVE-2022-1749 WPMK Ajax Finder <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...

CVE-2022-1900 Copify <= 1.3.0 - Cross-Site Request Forgery to Cross-Site Scripting

The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web...

PT-2022-14083

Name of the Vulnerable Software and Affected Versions WPMK Ajax Finder WordPress plugin versions up to and including 1.0.1 Description The issue is related to Cross-Site Request Forgery, which occurs due to a missing nonce check in the createplugin atf admin setting page function found in the...

PT-2022-14194 · WordPress · Toolbar To Share

Name of the Vulnerable Software and Affected Versions: ToolBar to Share plugin for WordPress versions up to, and including, 2.0 Description: The issue is due to missing nonce validation on the plugin toolbar comparte page, making it possible for unauthenticated attackers to update the plugin's...

VulnCheck KEV: CVE-2022-1903

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username...

WordPress plugin 跨站请求伪造漏洞

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to Wordpress Plugin Simple Download Monitor 3.9.9, which...

VulnCheck KEV: CVE-2021-24499

The Workreap WordPress theme before 2.2.2 AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the...

CVE-2021-42364

The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the statspage function found in the /stetic.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.0.6...

CVE-2021-42358

The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the /cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2...

CVE-2021-42358

The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the /cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2...

CVE-2021-24668

The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack...

CVE-2021-39353

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including...

CVE-2021-39353 Easy Registration Forms <= 2.1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajaxaddform function found in the /includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including...

CVE-2021-34636

The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the savetheme function found in the /includes/admin/coundownthemepage.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up t...

CVE-2021-34636 Countdown and CountUp, WooCommerce Sales Timer <= 1.5.7 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the savetheme function found in the /includes/admin/coundownthemepage.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up t...

CVE-2021-34619

The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file...

CVE-2021-34620

The WP Fluent Forms plugin 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions...