CVE-2026-3903 Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth function. This makes it possible for unauthenticated attacker...

CVE-2025-13523

Mattermost Confluence plugin version 1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connectio...

EUVD-2025-203002

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtoollogingoogle function. This makes it...

CVE-2025-13408

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtoollogingoogle function. This makes it...

CVE-2025-13408 Foxtool All-in-One: Contact chat button, Custom login, Media optimize images <= 2.5.2 - Cross-Site Request Forgery to Google OAuth Connection

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtoollogingoogle function. This makes it...

CVE-2025-13408

CVE-2025-13408 refers to Foxtool All-in-One for WordPress. Wordfence reports a CSRF vulnerability in foxtool_login_google() across versions up to 2.5.2, caused by missing/incorrect nonce validation. This allows unauthenticated attackers to trigger an OAuth connection by tricking a site administra...

EUVD-2021-11078

Malware in sbrugna...

CVE-2021-24164

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connecti...

CVE-2025-23046

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth...

glpi-project -- GLPI multiple vulnerabilities

[email protected] reports: CVE-2024-11955: A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The...

PT-2025-6973 · Unknown +2 · Oauthimap Plugin +2

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.5.0 through 10.0.17 Description: The issue allows unauthorized access to GLPI when a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, leveraging existing Oauth...

CVE-2024-36370

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible...

CVE-2024-36370

JetBrains TeamCity is affected by CVE-2024-36370: stored XSS via OAuth connection settings. Affected versions: before 2022.04.7, 2022.10.6, 2023.05.6, or 2023.11.5. The vulnerability stems from lacking proper sanitization in OAuth connection settings, enabling an attacker to inject script through...

CVE-2021-24166

The wpajaxnfoauthdisconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...

Cross site request forgery (csrf)

The wpajaxnfoauthdisconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...

CVE-2021-24166 Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection

The wpajaxnfoauthdisconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...