WordPress WP Youtube Video Gallery plugin <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin WP Youtube Video Gallery versions = 1.0...

PT-2026-4604

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the wp footer action. This makes it possible...

GetSimple Content Management System: Code Injection Vulnerability

GetSimple Content Management System is an open-source content management system developed by GetSimpleCMS. Version 1.1.2 of GetSimple Content Management System has a code injection vulnerability. This vulnerability stems from PHP code injection through plugin configuration parameters, which may...

CVE-2025-14853

CVE-2025-14853 affects the LEAV Last Email Address Validator WordPress plugin (versions

CVE-2026-0739

The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...

CVE-2026-0741

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14846

The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...

CVE-2025-14482

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with...

CVE-2025-15021 Gotham Block Extra Light <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-15021

The CVE-2025-15021 entry concerns the WordPress Gotham Block Extra Light plugin. A stored XSS vulnerability exists in admin settings for all versions up to 1.5.0, caused by insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions (and above...

WordPress Perfit WooCommerce plugin <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Perfit WooCommerce versions = 1.0.1...

WordPress Gotham Block Extra Light plugin <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Gotham Block Extra Light versions = 1.5.0...

CVE-2019-11869

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that isadmin verifies that the request comes from an admin user it actually only verifies that the request is for an admin page. An unauthenticated attacker can inject a payload into the plugin settings, suc...

CVE-2025-14465

The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabsoptionspageformsubmit function. This makes it possible for unauthenticated attackers to update plug...

WordPress plugin BetterDocs 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An information...

CVE-2025-14028 Contact Us Simple Form <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wit...

CVE-2025-14845 NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update

The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin'...

CVE-2025-14845 NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update

The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin'...

CVE-2025-14370

CVE-2025-14370 corresponds to the Quote Comments plugin for WordPress with Missing Authorization in all versions up to 3.0.0. The vulnerability allows authenticated users with Subscriber+ privileges to update arbitrary plugin options via the ‘action’ parameter, per Wordfence reporting. Current st...

CVE-2025-14904

CVE-2025-14904 affects Newsletter Email Subscribe (WordPress plugin). The WordPress plugin versions up to 2.4 are vulnerable to Cross-Site Request Forgery due to incorrect nonce validation in the nels_settings_page function, enabling unauthenticated attackers to update plugin settings via forged ...