CVE-2025-13314 Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification

The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filtersavesettings' and 'addfilteroptions' AJAX action...

EUVD-2024-17453

Malicious code in bioql PyPI...

PT-2025-16937 · WordPress · The Ultimate Dashboard

Name of the Vulnerable Software and Affected Versions: The Ultimate Dashboard WordPress plugin versions prior to 3.8.6 Description: The issue concerns a Stored Cross-Site Scripting vulnerability. It arises because the plugin does not properly sanitise and escape some of its settings, allowing...

CVE-2024-11840

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

PT-2025-2163 · WordPress · The Food Menu – Restaurant Menu & Online Ordering

Name of the Vulnerable Software and Affected Versions: The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress versions up to, and including, 5.1.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to modify the plugin's...

CVE-2024-11840 RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucssdata, updaterapidloadsettings, wpajaxupdatehtaccessfile, uucssupdaterule, uploadrules, getallrules,...

CVE-2024-6883 Event Espresso 4 Decaf – Event Registration Event Ticketing <= 4.10.46.decaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification

The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to and including 4.10.46.decaf. This make...

CVE-2024-6579 Web and WooCommerce Addons for WPBakery Builder <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification

The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with...

CVE-2024-4463 Squelch Tabs and Accordions Shortcodes <= 0.4.7 - Cross-Site Request Forgery

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to modify...

PowerPack Pro for Elementor < 2.10.8 - Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting

Description The PowerPack Pro for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions prior to 2.10.8. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to modify plugin settings and inject arbitrary web...

Cross site request forgery (csrf)

The Depicter Slider – Responsive Image Slider, Video Slider & Post Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for...

CVE-2023-2067

The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwpupdatebulletinstatus', 'bulletinwpupdatebulletin', 'bulletinwpupdatesettings', 'bulletinwpupdatestatus',...

CVE-2020-36697

The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings...

Authorization

The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings...

CVE-2018-8814

Cross-site request forgery CSRF vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/pluginname/settings by crafting a malicious request...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/pluginname/settings by crafting a malicious request...

CVE-2018-8814

Cross-site request forgery CSRF vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/pluginname/settings by crafting a malicious request...