CVE-2025-6754

CVE-2025-6754 (SEO Metrics for WordPress) : The WordPress plugin versions 1.0.5–1.0.15 are affected by privilege-escalation due to missing authorization checks in seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint(). An attacker with subscriber-level access can obtai...

CVE-2025-5930

The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request...

CVE-2024-4409

The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a...

Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

Description The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handleauthrequest' and 'hadleloginrequest'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an...

PT-2023-32353 · WordPress · Thumbnail Slider With Lightbox

Name of the Vulnerable Software and Affected Versions: The Thumbnail Slider With Lightbox plugin for WordPress version 1.0 Description: The issue is due to missing or incorrect nonce validation on the addedit functionality. This allows unauthenticated attackers to upload arbitrary files via a...

CVE-2023-4926 BEAR <= 1.1.3.3 - Cross-Site Request Forgery to Product Deletion

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobebulkdeleteproducts function. This makes it possible for unauthenticated attackers to delete products via a forged request...

PT-2023-12506 · WordPress · Locations

Name of the Vulnerable Software and Affected Versions: Locations plugin for WordPress versions up to, and including, 3.2.1 Description: The issue is due to missing or incorrect nonce validation on the saveCustomFields function, making it possible for unauthenticated attackers to update custom fie...

Ian Dunn: Send emails to all users using Camptix

Ian, This is my first stab at submitting a bug, and I'm not even sure it is one. Here's what I found. If an admin of a site using Camptix who is logged into the admin screen visits a malicious site which has access to a valid wpnonce value could send a large volume of spam to all ticket holders...