WordPress Remove NoFollow Commenter URL plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by swat in WordPress Plugin Remove NoFollow Commenter URL versions = 1.0...

WordPress Remove meta boxes per user role plugin <= 1.01 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Remove meta boxes per user role versions = 1.01...

CVE-2026-8906

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2026-8941

The CVE concerns the WordPress plugin CDN Linker lite (

PT-2026-43574

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2026-4139

The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the computepost function, which processes settings updates. The computepost function is...

EUVD-2026-19576

The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates...

CVE-2026-1900

The CVE concerns the Link Whisper Free WordPress plugin for WordPress sites, affected version

PT-2026-30797

Name of the Vulnerable Software and Affected Versions Link Whisper Free WordPress plugin versions prior to 0.9.1 Description The Link Whisper Free WordPress plugin has a publicly accessible REST endpoint that allows unauthenticated users to update settings. Recommendations Update to version 0.9.1...

CVE-2026-1392

The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...

WordPress SR WP Minify HTML plugin <= 2.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin SR WP Minify HTML versions = 2.1...

WordPress Lobot Slider Administrator plugin <= 0.6.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Lobot Slider Administrator versions = 0.6.0...

CVE-2026-4143

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncffaddpluginpage function which handles settings updates. This makes it possible for unauthenticated...

CVE-2026-1390 Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdownsettingscontent function. This makes it possible for unauthenticated attackers to update the plugin settings...

CVE-2026-1393

The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to...

EUVD-2026-11034

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reloadpreview function. This makes it possible for...

EUVD-2026-10127

The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the...

CVE-2026-1377

The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged...

CVE-2026-1377 imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update

The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged...

WordPress Alex User Counter plugin <= 6.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Alex User Counter versions = 6.0...