CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

CVE-2026-1043

CVE-2026-1043 affects the PostmarkApp Email Integrator plugin for WordPress, vulnerable in versions up to and including 2.4. The issue is a Stored XSS in plugin settings due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address fields. An authenticated a...

WordPress plugin Country Blocker for AdSense 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-20575

Name of the Vulnerable Software and Affected Versions GDPR Cookie Consent plugin for WordPress versions up to and including 4.1.2 Description The plugin is susceptible to unauthorized data access because of a missing capability check on the /gdpr/v1/settings API endpoint. This allows...

CVE-2026-2230

The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handleajaxsave function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-2230

The CVE-2026-2230 entry concerns the WordPress Booking Calendar plugin (versions

WordPress plugin MDirector Newsletter 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery

Sygnoos Popup Builder plugin = 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link. id: CVE-2022-294...

CVE-2019-25314 Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces...

CVE-2026-1786 Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update

The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dgtwoptions' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including...

CVE-2026-1215 MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mmacalltrackingmenu admin page. This makes it possible for unauthenticated attackers...

CVE-2026-1215

CVE-2026-1215 : The MMA Call Tracking WordPress plugin is vulnerable to Cross-Site Request Forgery up to and including version 2.3.15 due to missing nonce validation on the mma_call_tracking_menu admin page. Unauthenticated attackers could modify configuration by tricking an admin into forging a ...

WordPress MMA Call Tracking plugin <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin MMA Call Tracking versions = 2.3.15...

CVE-2026-1082

The CVE concerns the TITLE ANIMATOR WordPress plugin, where a Cross-Site Request Forgery flaw exists in all versions up to and including 1.0 due to missing nonce validation on the settings-page form handler in inc/settings-page.php. This allows unauthenticated attackers to modify plugin settings ...

CVE-2026-0572

The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurifysaveoptions' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settin...

CVE-2026-0681

The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-0572

The CVE-2026-0572 entry concerns the WebPurify Profanity Filter plugin for WordPress. A missing capability check on the webpurify_save_options function affects all versions up to and including 4.0.2, allowing unauthenticated attackers to modify plugin settings and thus perform data modification. ...

WordPress Internal Link Builder plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin's Settings vulnerability discovered by 0x34rth in WordPress Plugin Internal Link Builder versions = 1.0...

CVE-2025-14906

The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave function. This makes it possible for unauthenticated attackers to modify plugin...