EUVD-2025-204622

The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'halloweltseite' function. This makes it possible for unauthenticated attackers to update plugin settings and...

CVE-2025-14394

The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they...

CVE-2025-14394 Popover Windows <= 1.2 - Cross-Site Request Forgery to Arbitrary Popover Configuration Update

The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they...

CVE-2025-14288 Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification

The Gallery Blocks with Lightbox. Image Gallery, HTML5 video , YouTube, Vimeo Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the editposts...

CVE-2025-14288

CVE-2025-14288 affects Gallery Blocks with Lightbox (WordPress) up to 3.3.0. Root cause: update_option AJAX handler (pgc_sgb_action_wizard) checks edit_posts instead of the more restrictive manage_options, enabling authenticated attackers with Contributor+ access to modify arbitrary pgc_sgb_* plu...

CVE-2025-14462

The CVE-2025-14462 issue affects the Lucky Draw Contests plugin for WordPress (versions

WordPress plugin Gallery Blocks with Lightbox 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A security...

CVE-2025-13314 Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.6 - Missing Authorization to Unauthenticated Plugin Settings Modification

The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.6 due to a missing capability check on the 'filtersavesettings' and 'addfilteroptions' AJAX action...

CVE-2025-13314

CVE-2025-13314 affects the WordPress plugin Filter Plus – Product Filtering by Categories, Tags, Price Range for WooCommerce (Filter Plus) up to version 1.1.5. The issue is caused by missing capability checks on two AJAX actions, filter_save_settings and add_filter_options , allowing unauthentica...

CVE-2025-14392 Simple Theme Changer <= 1.0. - Missing Authorization to Plugin Settings Update via AJAX Actions

The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the userthemeadmin, displaymethodadmin, and setchangethemebuttonname actions actions in all versions up to, and including, 1.0. This makes it possible for...

PT-2025-50858

The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including th...

PT-2025-50814

The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter save settings' and 'add filter options' AJAX...

CVE-2025-13684

The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the arkrpoptionspage function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a...

CVE-2025-13621

The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's...

EUVD-2025-201369

The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the savedatahcps function. This makes it possible for unauthenticated attackers to...

CVE-2025-12370

CVE-2025-12370 affects the WordPress Takeads plugin, with exploitation described as an authorization bypass in all versions up to and including 1.0.13. The vulnerability allows authenticated users with subscriber-level access and above to delete the plugin’s configuration options due to improper ...

EUVD-2025-201385

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the addcstusettings function. This makes it possible for unauthenticated attackers to modify plugin settings v...

CVE-2025-66298

Grav is a file-based CMS affected by a server‑side template injection (SSTI) via forms. A crafted POST can disclose the entire Grav configuration, including plugin settings, exposing sensitive information. This vulnerability exists in Grav prior to 1.8.0-beta.27 and is fixed in 1.8.0-beta.27. Rem...

EUVD-2025-199574

The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionsupdate' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a...

CVE-2025-11815

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uipsavesiteoption function in all versions up to, and including, 3.5.08. This makes it possible for authenticate...