Lucene search
+L

258 matches found

Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.11 views

PT-2026-36589

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate action status AJAX handler, which is registered to be accessible to unauthenticated users...

5.3CVSS5.9AI score0.00402EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/04/23 8:38 p.m.7 views

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

4.3CVSS5.7AI score0.00178EPSS
Exploits0References1
NVD
NVD
added 2026/04/22 9:16 a.m.6 views

CVE-2026-4131

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS0.00181EPSS
Exploits0References11
NVD
NVD
added 2026/04/22 9:16 a.m.7 views

CVE-2026-4140

The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the niorderexportaction AJAX handler function. The handler processes settings updates when the 'page' parameter is...

4.3CVSS0.00156EPSS
Exploits0References5
NVD
NVD
added 2026/04/22 9:16 a.m.8 views

CVE-2026-4117

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

5.3CVSS0.00364EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.9 views

CVE-2026-4138

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

4.3CVSS5.7AI score0.00193EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.31 views

CVE-2026-6294 Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page

The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplayoption function, which handles the plugin settings page. The settings form does not include a wpnoncefield, and...

4.3CVSS0.002EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.4 views

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

4.3CVSS5.7AI score0.00178EPSS
Exploits0References8
CVE
CVE
added 2026/04/22 7:45 a.m.27 views

CVE-2026-6396

CVE-2026-6396 concerns the WordPress plugin “Fast & Fancy Filter – 3F” (versions up to and including 1.2.2). The issue arises from missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This design flaw allows unauthenticated attackers to forge re...

4.3CVSS5.8AI score0.0018EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.4 views

CVE-2026-6396

The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields function, which handles the fffsavesettins AJAX action. This makes it possible for unauthenticated...

4.3CVSS5.8AI score0.0018EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.10 views

CVE-2026-4140

The Ni WooCommerce Order Export plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.1.6. This is due to missing nonce validation in the niorderexportaction AJAX handler function. The handler processes settings updates when the 'page' parameter is...

4.3CVSS5.6AI score0.00156EPSS
Exploits0References6
CVE
CVE
added 2026/04/22 7:45 a.m.16 views

CVE-2026-4140

The Ni WooCommerce Order Export WordPress plugin (≤ version 3.1.6) is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ni_order_export_action() AJAX handler. When the page parameter is 'nioe-order-settings', Ni_Order_Setting::page_ajax() calls update_option('ni_orde...

4.3CVSS5.6AI score0.00156EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.3 views

CVE-2026-4131 WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.12 views

PT-2026-34297

Name of the Vulnerable Software and Affected Versions Ni WooCommerce Order Export versions prior to 3.1.7 Description An issue exists where missing nonce validation in the ni order export action AJAX handler function allows unauthenticated attackers to modify plugin settings via a forged request...

4.3CVSS5.7AI score0.00156EPSS
Exploits0References9
CVE
CVE
added 2026/04/15 8:28 a.m.11 views

CVE-2026-4002

CVE-2026-4002 affects the Petje.af WordPress plugin (versions

4.3CVSS5.8AI score0.00163EPSS
Exploits0References7
EUVD
EUVD
added 2026/04/10 1:24 a.m.4 views

EUVD-2026-21250

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the ahscajaxresetoptions function. This makes it possible for unauthenticated attackers to reset all plugin settings t...

4.3CVSS5.8AI score0.00181EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/08 12:31 p.m.8 views

EUVD-2026-20441

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

4.3CVSS5.8AI score0.00128EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/08 11:16 a.m.14 views

CVE-2026-1673

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

4.3CVSS5.8AI score0.00128EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/08 9:31 a.m.8 views

EUVD-2026-20109

The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quranplaylistoptions function that handles the plugin's settings page. The function processes POST requests to update...

4.3CVSS5.8AI score0.0016EPSS
Exploits0References6
NVD
NVD
added 2026/04/08 2:16 a.m.4 views

CVE-2026-3499

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajaxmigratetocustomposttype,...

8.8CVSS0.00165EPSS
Exploits0References2
Rows per page
Query Builder