CVE-2026-4131

The CVE-2026-4131 entry concerns the WP Responsive Popup + Optin WordPress plugin (versions up to 1.4). Root cause: the admin settings form (wpo_admin_page.php) does not generate or verify a nonce (wp_nonce_field/wp_verify_nonce/check_admin_referer), enabling CSRF that can update plugin settings,...

CVE-2026-3572 iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

CVE-2020-36721

The Brilliance = 1.2.7, Activello = 1.4.0, and Newspaper X = 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activelloactivateplugin' and 'activellodeactivateplugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing...

PT-2023-11863 · Activello +1 · Activello +2

Name of the Vulnerable Software and Affected Versions: The Brilliance versions prior to 1.2.8 Activello versions prior to 1.4.1 Newspaper X versions prior to 1.3.2 Description: The issue is related to the lack of capability and security checks/nonces in the activello activate plugin and activello...

CVE-2022-3097

The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections...

PT-2022-20426 · WordPress · Lbstopattack

Name of the Vulnerable Software and Affected Versions: Plugin LBstopattack WordPress plugin versions prior to 1.1.3 Description: The issue allows attackers to conduct CSRF attacks because the plugin does not use nonces when saving its settings. This could enable attackers to disable the plugin's...