CVE-2026-8942

CVE-2026-8942 affects the WordPress MetaMagic SEO Plugin (versions up to 1.6). The issue is a Cross-Site Request Forgery due to missing or incorrect nonce validation in the metamagic_update_options function, allowing unauthenticated attackers to modify SEO settings (e.g., enable/disable the plugi...

WordPress Search Simple Fields plugin <= 0.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Search Simple Fields versions = 0.2...

CVE-2026-3191

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...

CVE-2025-14370

CVE-2025-14370 corresponds to the Quote Comments plugin for WordPress with Missing Authorization in all versions up to 3.0.0. The vulnerability allows authenticated users with Subscriber+ privileges to update arbitrary plugin options via the ‘action’ parameter, per Wordfence reporting. Current st...

CVE-2025-14904

CVE-2025-14904 affects Newsletter Email Subscribe (WordPress plugin). The WordPress plugin versions up to 2.4 are vulnerable to Cross-Site Request Forgery due to incorrect nonce validation in the nels_settings_page function, enabling unauthenticated attackers to update plugin settings via forged ...

CVE-2025-14394 Popover Windows <= 1.2 - Cross-Site Request Forgery to Arbitrary Popover Configuration Update

The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they...

CVE-2025-11007

The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wpajaxnoprivce21singlesignonsaveapisettings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API...

EUVD-2024-50038

Malicious code in bioql PyPI...

EUVD-2024-51601

Malicious code in bioql PyPI...

CVE-2025-9892 Restrict User Registration <= 1.0.1 - Cross-Site Request Forgery to Settings Update

The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update function. This makes it possible for unauthenticated attackers to update the plugin's...

CVE-2025-0763 Ultimate Classified Listings <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomfields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access a...

CVE-2025-5933 RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update

The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData function. This makes it possible for unauthenticated attackers to update plugin settings via a...

CVE-2024-12176

The WordLift – AI powered SEO – Schema plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'wlconfigplugin' AJAX action in all versions up to, and including, 3.54.2. This makes it possible for unauthenticated attackers to update the plugin's settings...

CVE-2024-12526

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.1. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2023-6638

The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatesettings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings...

CVE-2023-5737

The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings...

CVE-2025-4520 Uncanny Automator <= 6.4.0.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to...

CVE-2024-13337 Webcraftic Clearfy – WordPress optimization plugin <= 2.3.2 - Cross-Site Request Forgery to Plugin Settings Update via 'setup-wbcr_clearfy'

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.2. This is due to missing or incorrect nonce validation on the 'setup-wbcrclearfy' page. This makes it possibl...

CVE-2024-13769

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'themeoptionsajaxpostaction' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for...

CVE-2024-13769

CVE-2024-13769 – Puzzles theme (WP Magazine / Review with Store WordPress Theme + RTL) Vulnerability: Stored Cross-Site Scripting due to a missing capability check on the theme_options_ajax_post_action AJAX action. Affected versions: all versions up to and including 4.2.4. Impact: Authenticated a...