837 matches found
CVE-2025-9627
The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirlpluginoptions function. This makes it possible for unauthenticated attackers to modify plugin settings includi...
CVE-2025-9627
The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirlpluginoptions function. This makes it possible for unauthenticated attackers to modify plugin settings includi...
CVE-2025-0763 Ultimate Classified Listings <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomfields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access a...
PT-2025-37147
The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl plugin options function. This makes it possible for unauthenticated attackers to modify plugin settings...
CVE-2025-7827
The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the niwoocpraction function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-leve...
CVE-2025-7827
The CVE-2025-7827 entry affects the Ni WooCommerce Customer Product Report plugin for WordPress. It documents a missing capability check in the ni_woocpr_action() function across all versions up to 1.2.4, enabling authenticated attackers with Subscriber-level access and above to modify plugin set...
CVE-2025-8080
The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2025-8080
The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2025-7835
The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughtsaceupdateoptions' AJAX action. This makes it possible for unauthenticated attacke...
CVE-2025-7835
The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughtsaceupdateoptions' AJAX action. This makes it possible for unauthenticated attacke...
CVE-2025-7835 iThoughts Advanced Code Editor <= 1.2.10 - Cross-Site Request Forgery to Settings Update
The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughtsaceupdateoptions' AJAX action. This makes it possible for unauthenticated attacke...
CVE-2025-3780
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfmredirecttosetup function in all versions up to, and including, 6.7.16. This makes i...
CVE-2025-3780 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfmredirecttosetup function in all versions up to, and including, 6.7.16. This makes i...
CVE-2025-5933
CVE-2025-5933 : The RD Contacto WordPress plugin (versions up to 1.4) is vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in the rdWappUpdateData() function. This enables unauthenticated attackers to trigger settings updates by enticing a site administrator to pe...
CVE-2025-5933 RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update
The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData function. This makes it possible for unauthenticated attackers to update plugin settings via a...
CVE-2025-5692
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /includes/LBadminajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with...
PT-2025-27292 · WordPress · Micropayments – Fans Paysite
Name of the Vulnerable Software and Affected Versions: The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress versions up to, and including, 3.2.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...
CVE-2025-5932
CVE-2025-5932 (Homerunner WordPress plugin) affects Homerunner (WordPress) up to version 1.0.29. Root cause: missing or incorrect nonce validation on main_settings(), enabling unauthenticated CSRF to update plugin settings via forged requests. Impact: can alter settings if an admin clicks a link....
CVE-2025-5932 Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update
The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the mainsettings function. This makes it possible for unauthenticated attackers to update plugin settings via a...
CVE-2025-5932 Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update
The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the mainsettings function. This makes it possible for unauthenticated attackers to update plugin settings via a...