1116 matches found
CVE-2024-13518
The Simple:Press Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.10.11. This is due to missing or incorrect nonce validation on the 'spsaveeditedpost' function. This makes it possible for unauthenticated attackers to modify a forum po...
CVE-2025-1506
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counteraccesskeysetup function. This makes it possible for unauthenticated...
CVE-2025-1687 Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'updateuserprofile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forg...
PT-2025-7819 · WordPress · Wordpress File Upload
Name of the Vulnerable Software and Affected Versions: WordPress File Upload plugin versions up to 4.25.2 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the wfu file details function. This allows unauthenticated attackers to modify...
CVE-2024-13315
The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the savesetting function. This makes it possible for unauthenticated...
CVE-2024-13336
The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'disable-auto-updates' page. This makes it possible for unauthenticated attackers to disable all auto...
CVE-2024-13339
The DeBounce Email Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.6. This is due to missing or incorrect nonce validation on the 'debounceemailvalidator' page. This makes it possible for unauthenticated attackers to update...
CVE-2024-13522
The magayo Lottery Results plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.12. This is due to missing or incorrect nonce validation on the 'magayo-lottery-results' page. This makes it possible for unauthenticated attackers to update...
CVE-2024-10581
The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfllistingStatusChange function. This makes it possible for unauthenticated attackers to update...
CVE-2024-12386
The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary accounts via a forged request...
CVE-2025-0808
The Houzez Property Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.21. This is due to missing or incorrect nonce validation on the "deleteexport" action. This makes it possible for unauthenticated attackers to delete property feed...
CVE-2022-2001
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxssadminpage function found in the /dx-share-selection.php file. This makes it possible for unauthenticated attackers to...
CVE-2024-12293
The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the updateroles function. This makes it possible for unauthenticated attackers to add or remove roles for...
CVE-2024-0203
The Digits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.1. This is due to missing nonce validation in the 'digitssavesettings' function. This makes it possible for unauthenticated attackers to modify the default role of registered users to...
CVE-2024-13356
The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the userremoveform.php file. This makes it possible for unauthenticated attackers to delete admin user...
CVE-2024-13521
The MailUp Auto Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the masoptions function. This makes it possible for unauthenticated attackers to update settings and...
CVE-2024-13683
The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. This is due to missing or incorrect nonce validation on the 'automatehub' page. This makes it possible for unauthenticated attackers to update an...
CVE-2024-10789 WP User Profile Avatar <= 1.0.5 - Cross-Site Request Forgery to Settings Update
The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupauseradmin function. This makes it possible for unauthenticated attackers to update the plugins...
CVE-2025-0393
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wprfiltergridposts function. This makes it possible for unauthenticated attackers t...
CVE-2024-12557
CVE-2024-12557 affects the Transporters.io WordPress plugin. The issue is a Cross‑Site Request Forgery due to missing nonce validation in a function, enabling unauthenticated attackers to trigger actions via forged requests when an admin clicks a link. Affected versions are up to 2.0.84. The Word...