CVE-2025-7835

The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughtsaceupdateoptions' AJAX action. This makes it possible for unauthenticated attacke...

CVE-2025-7835 iThoughts Advanced Code Editor <= 1.2.10 - Cross-Site Request Forgery to Settings Update

The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughtsaceupdateoptions' AJAX action. This makes it possible for unauthenticated attacke...

CVE-2025-3780

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfmredirecttosetup function in all versions up to, and including, 6.7.16. This makes i...

CVE-2025-3780 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfmredirecttosetup function in all versions up to, and including, 6.7.16. This makes i...

CVE-2025-5933 RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update

The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData function. This makes it possible for unauthenticated attackers to update plugin settings via a...

CVE-2025-5933

CVE-2025-5933 : The RD Contacto WordPress plugin (versions up to 1.4) is vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in the rdWappUpdateData() function. This enables unauthenticated attackers to trigger settings updates by enticing a site administrator to pe...

CVE-2025-5692

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /includes/LBadminajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with...

PT-2025-27292 · WordPress · Micropayments – Fans Paysite

Name of the Vulnerable Software and Affected Versions: The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress versions up to, and including, 3.2.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...

CVE-2025-5932 Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update

The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the mainsettings function. This makes it possible for unauthenticated attackers to update plugin settings via a...

CVE-2025-5932 Homerunner <= 1.0.30 - Cross-Site Request Forgery to Settings Update

The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.30. This is due to missing or incorrect nonce validation on the mainsettings function. This makes it possible for unauthenticated attackers to update plugin settings via a...

CVE-2025-5932

CVE-2025-5932 (Homerunner WordPress plugin) affects Homerunner (WordPress) up to version 1.0.29. Root cause: missing or incorrect nonce validation on main_settings(), enabling unauthenticated CSRF to update plugin settings via forged requests. Impact: can alter settings if an admin clicks a link....

CVE-2025-49763

A flaw was found in trafficserver. The Edge Side Includes ESI plugin lacks a limit on maximum inclusion depth, allowing a remote attacker to trigger excessive memory consumption by inserting malicious instructions. This condition occurs due to the plugin's inability to restrict the nesting of ESI...

CVE-2025-3880 Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 - Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update

The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with...

CVE-2025-5928

The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wpslidingpaneluseroptions function. This makes it possible for unauthenticated attackers t...

CVE-2025-5930

The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request...

CVE-2024-9592

The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgcpluginoptions' function. This makes it possible for unauthenticated attackers to update the...

CVE-2024-3216

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wtpklistresetsettings function in all versions up to, and including, 4.4.2. This makes it possible for...

CVE-2024-1760

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. This is due to missing or incorrect nonce validation on the ssafactoryreset function. This makes it...

CVE-2024-7574

The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious...

CVE-2025-4105

The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with...