11 matches found
CVE-2026-3332
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...
EUVD-2019-5546
Malware in sbrugna...
EUVD-2016-1893
Malware in sbrugna...
EUVD-2022-38134
Malicious code in bioql PyPI...
CVE-2025-5933 RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update
The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData function. This makes it possible for unauthenticated attackers to update plugin settings via a...
CVE-2021-24405
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users such as subscriber to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not...
WordPress WP Video Playlist plugin <= 1.1.2 - Settings Change vulnerability
Settings Change vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Video Playlist versions = 1.1.2...
PT-2025-2163 · WordPress · The Food Menu – Restaurant Menu & Online Ordering
Name of the Vulnerable Software and Affected Versions: The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress versions up to, and including, 5.1.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to modify the plugin's...
CVE-2024-3636 Pinpoint Booking System < 2.9.9.4.8 - Admin+ Stored XSS
The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-2470 Add to Feedly <= 1.2.11 - Admin+ Stored XSS
The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2021-24196 Social Slider Widget < 1.8.5 - Authenticated Reflected Cross-Site Scripting (XSS)
The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘tokenerror’ parameter can be controlled by users and it is directly echoed without being sanitized...