8651 matches found
CVE-2026-1390
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdownsettingscontent function. This makes it possible for unauthenticated attackers to update the plugin settings...
CVE-2026-1378
The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cptpluginoptions function. This makes it possible for unauthenticated attackers to update the plugin settings including...
CVE-2026-2723
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to...
CVE-2026-2723
The CVE-2026-2723 entry relates to the Post Snippits WordPress plugin. A CSRF vulnerability exists in all versions up to 1.0 due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This allows unauthenticated attackers to modify plugin settings and...
CVE-2026-4143
The CVE concerns the Neos Connector for Fakturama WordPress plugin. A CSRF flaw exists in all versions up to and including 0.0.14 due to missing nonce validation in the ncff_add_plugin_page() function that handles settings updates. As a result, unauthenticated attackers could modify plugin settin...
CVE-2026-4143 Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update
The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...
CVE-2026-3645
The CVE describes a concrete vulnerability in the Punnel – Landing Page Builder WordPress plugin (up to version 1.3.1). The save_config() function handling the punnel_save_config AJAX action lacks any capability check (no current_user_can()) and nonce verification, allowing authenticated attacker...
CVE-2026-3645 Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
CVE-2026-3546
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...
CVE-2026-3546 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...
CVE-2026-1503
The loginregister plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the...
CVE-2026-1503
The login_register plugin for WordPress (versions up to 1.2.0) is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting due to missing nonce validation on the settings page and insufficient sanitization/escaping of the login_post parameter. This allows unauthenticated at...
CVE-2026-1503 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The loginregister plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the...
CVE-2026-1503 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The loginregister plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the...
CVE-2026-3331
The CVE-2026-3331 entry concerns the Lobot Slider Administrator plugin for WordPress. A CSRF flaw affects versions up to and including 0.6.0, caused by missing or incorrect nonce validation on the fourty_slider_options_page function. This allows unauthenticated attackers to modify plugin slider-p...
CVE-2026-3331 Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update
The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourtyslideroptionspage function. This makes it possible for unauthenticated attackers to modify...
CVE-2026-1392 SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...
CVE-2026-1392
CVE-2026-1392 : The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1 due to missing nonce validation on the sr_minify_html_theme() function. This allows unauthenticated attackers to update plugin settings by convincing a si...
CVE-2026-1392
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...
CVE-2026-1392 SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...