CVE-2026-2382 FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'id' Parameter

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpwfsgetfile' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for...

EUVD-2026-24677

The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage function which processes settings updates. The form at line 314 does not include a wpnoncefield,...

PT-2025-27292 · WordPress · Micropayments – Fans Paysite

Name of the Vulnerable Software and Affected Versions: The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress versions up to, and including, 3.2.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...

PT-2025-25399 · WordPress · Auto Attachments

Name of the Vulnerable Software and Affected Versions: Auto Attachments plugin for WordPress versions up to, and including, 1.8.5 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticat...

CVE-2025-4580 File Provider <= 1.2.3 - Item Deletion via CSRF

The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2025-48948 Navidrome Transcoding Permission Bypass Vulnerability Report

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

CVE-2025-5055

The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-8094

The CVE-2024-8094 entry identifies a CSRF flaw in the Ntz Antispam WordPress plugin (versions up to 2.0e) where the settings update flow lacks CSRF protection. Root cause: missing CSRF check when updating plugin settings. Impact: a CSRF attack could cause a logged-in admin to change settings. Pub...