461 matches found
PT-2026-34296
Name of the Vulnerable Software and Affected Versions mCatFilter versions prior to 0.5.3 Description The mCatFilter plugin for WordPress is susceptible to Cross-Site Request Forgery. The compute post function, which processes settings updates, lacks nonce verification and capability checks. This...
WordPress Fast & Fancy Filter – 3F plugin <= 1.2.2 - Cross-Site Request Forgery to Settings Modification vulnerability
Cross-Site Request Forgery to Settings Modification vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Fast & Fancy Filter – 3F versions = 1.2.2...
CVE-2026-34834
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the verifyIdentity function contained logic that returned true if no session cookies were present. This allowed unauthenticated attackers to bypass security checks and access/modify user settings vi...
EUVD-2026-16583
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...
CVE-2026-3567
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...
EUVD-2026-14158
The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...
CVE-2026-3332
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveglobalsettings' function in all versions up to, and including, 3.5.09. This makes it possible for...
CVE-2026-3567 RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...
CVE-2026-1993
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the updatesettings function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible fo...
CVE-2026-1087
The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings,...
MAL-2026-1090 Malicious code in isb (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 93750cbddba7897fde1d31836971e11082ad2076012c7caf708980de45827840 Starting the module initiates an infostealer with a Telegram bot and RAT-like functionality and hardcoded credentials. The code automatically adds itself to...
WordPress Aruba HiSpeed Cache plugin <= 3.0.2 - Missing Authorization to Unauthenticated Plugin's Settings Modification vulnerability
Missing Authorization to Unauthenticated Plugin's Settings Modification vulnerability discovered by mikemyers in WordPress Plugin Aruba HiSpeed Cache versions = 3.0.2...
CVE-2025-14167
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR || instead of AND &&, causing the validation to fail when the nonce field is not empty OR when...
CVE-2025-14357
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...
CVE-2025-14167
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR || instead of AND &&, causing the validation to fail when the nonce field is not empty OR when...
CVE-2026-1455
CVE-2026-1455 refers to the Whatsiplus Scheduled Notification for Woocommerce WordPress plugin. The vulnerability is a Cross‑Site Request Forgery (CSRF) affecting versions up to and including 1.0.1 due to missing nonce validation on the AJAX action named wsnfw_save_users_settings. This weakness a...
CVE-2025-14357 Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...