PT-2025-16937 · WordPress · The Ultimate Dashboard

Name of the Vulnerable Software and Affected Versions: The Ultimate Dashboard WordPress plugin versions prior to 3.8.6 Description: The issue concerns a Stored Cross-Site Scripting vulnerability. It arises because the plugin does not properly sanitise and escape some of its settings, allowing...

CVE-2024-13337

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.2. This is due to missing or incorrect nonce validation on the 'setup-wbcrclearfy' page. This makes it possibl...

CVE-2024-13337 Webcraftic Clearfy – WordPress optimization plugin <= 2.3.2 - Cross-Site Request Forgery to Plugin Settings Update via 'setup-wbcr_clearfy'

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.2. This is due to missing or incorrect nonce validation on the 'setup-wbcrclearfy' page. This makes it possibl...

WordPress WP Video Playlist plugin <= 1.1.2 - Settings Change vulnerability

Settings Change vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Video Playlist versions = 1.1.2...

CVE-2025-0807 CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Settings Update

The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the citssettingstab function. This makes it possible for...

CVE-2025-26899 WordPress Recapture for WooCommerce Plugin <= 1.0.43 - CSRF to Settings Change vulnerability

Cross-Site Request Forgery CSRF vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce recapture-for-woocommerce allows Cross Site Request Forgery.This issue affects Recapture for WooCommerce: from n/a through = 1.0.43...

CVE-2024-13826

The Email Keep WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2025-0865

The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wpmcmhandleactionsettings function. This makes it possible for unauthenticated attackers to alter plugin settings...

CVE-2025-0865 WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update

The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wpmcmhandleactionsettings function. This makes it possible for unauthenticated attackers to alter plugin settings...

CVE-2025-0865 WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update

The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wpmcmhandleactionsettings function. This makes it possible for unauthenticated attackers to alter plugin settings...

CVE-2025-0865

The WP Media Category Management plugin for WordPress (WP-MCM) versions 2.0–2.3.3 are affected by a Cross‑Site Request Forgery (CSRF) vulnerability due to missing/incorrect nonce validation in wp_mcm_handle_action_settings(). This could allow unauthenticated attackers to alter the plugin settings...

CVE-2024-13439

CVE-2024-13439 affects the WordPress plugin “Team – Team Members Showcase Plugin” (TLTeam) and is confirmed across multiple sources. The vulnerability is a missing capability check in the response() function in all versions up to and including 4.4.9, enabling authenticated users with Subscriber l...

CVE-2025-0935 Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2025-0935 Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to...

WordPress Media Library Folders plugin <= 8.3.0 - Missing Authorization to Plugin Settings Change vulnerability

Missing Authorization to Plugin Settings Change vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin Media Library Folders versions = 8.3.0...

CVE-2024-13437

The Book a Room plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9. This is due to missing or incorrect nonce validation on the 'bookaroomSettings' page. This makes it possible for unauthenticated attackers to update the plugin's settings vi...

CVE-2024-13437

The Book a Room plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9. This is due to missing or incorrect nonce validation on the 'bookaroomSettings' page. This makes it possible for unauthenticated attackers to update the plugin's settings vi...

CVE-2024-13769

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'themeoptionsajaxpostaction' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for...

CVE-2024-13769

CVE-2024-13769 – Puzzles theme (WP Magazine / Review with Store WordPress Theme + RTL) Vulnerability: Stored Cross-Site Scripting due to a missing capability check on the theme_options_ajax_post_action AJAX action. Affected versions: all versions up to and including 4.2.4. Impact: Authenticated a...

CVE-2024-53994

Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable...