WordPress — CWE-352

Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery.This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.2.

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0.

The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated …

The LockerPress – WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inje…

The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthentic…

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthent…

Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.34.

Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through <= 3.0.1.

Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule buffer-my-post allows Reflected XSS.This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and …

Cross-Site Request Forgery (CSRF) vulnerability in Tom Longridge WordPress Error Monitoring by Bugsnag bugsnag allows Stored XSS.This issue affects WordPress Error Monitoring by Bugsnag: from n/a through <= 1.6.3.

Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce &amp; WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoices for WooCommerce &amp; WordPress: from n/a through <= 6.0.13.

Cross-Site Request Forgery (CSRF) vulnerability in AcmeeDesign WPShapere - WordPress admin theme wpshapere-lite allows Stored XSS.This issue affects WPShapere - WordPress admin theme: from n/a through <= 1.4.1.

Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Cross Site Request Forgery.This issue affects WordPress CTA: from n/a through <= 1.7.0.

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through <= 1.2.0.

Cross-Site Request Forgery (CSRF) vulnerability in DexignZone JobZilla - Job Board WordPress Theme jobzilla allows Privilege Escalation.This issue affects JobZilla - Job Board WordPress Theme: from n/a through <= 2.0.

Cross-Site Request Forgery (CSRF) vulnerability in dactum Clickbank WordPress Plugin (Niche Storefront) clickbank-niche-storefronts allows Stored XSS.This issue affects Clickbank WordPress Plugin (Niche Storefront): from n/a through <= 1.3.5.

Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin amazon-showcase-wordpress-widget allows Stored XSS.This issue affects Amazon Showcase WordPress Plugin: from n/a through <= 2.2.

Cross-Site Request Forgery (CSRF) vulnerability in Eslam Mahmoud Redirect wordpress to welcome or landing page redirect-to-welcome-or-landing-page allows Stored XSS.This issue affects Redirect wordpress to welcome or landing page: from n/a through <= 2.0.

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.3. This is due to missing or incorrect nonce validation on the user_registration_pro_delete_account()…

Cross-Site Request Forgery (CSRF) vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily connect-daily-web-calendar allows Cross-Site Scripting (XSS).This issue affects WordPress Events Calendar Plugin – connectDaily: from n/a through <= 1.5.4.

Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.

Cross-Site Request Forgery (CSRF) vulnerability in wpzinc Post to Social Media – WordPress to Hootsuite wp-to-hootsuite allows Cross Site Request Forgery.This issue affects Post to Social Media – WordPress to Hootsuite: from n/a through <= 1.5.8.

Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Stored XSS.This issue affects CSS3 Accordions for WordPress: from n/a through <= 3.0.

Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through <= 1.0.3.

Cross-Site Request Forgery (CSRF) vulnerability in Aphotrax Uptime Robot Plugin for WordPress uptime-robot-monitor allows Cross Site Request Forgery.This issue affects Uptime Robot Plugin for WordPress: from n/a through <= 2.3.

Cross-Site Request Forgery (CSRF) vulnerability in AdminGeekZ Varnish WordPress varnish-wp allows Cross Site Request Forgery.This issue affects Varnish WordPress: from n/a through <= 1.7.

Cross-Site Request Forgery (CSRF) vulnerability in leadfox Leadfox for WordPress leadfox allows Cross Site Request Forgery.This issue affects Leadfox for WordPress: from n/a through <= 2.1.9.

Cross-Site Request Forgery (CSRF) vulnerability in wp-buy wordpress related Posts with thumbnails related-posts-list-grid-and-slider-all-in-one allows Stored XSS.This issue affects wordpress related Posts with thumbnails: from n/a through <= 3.0.0.1.

Cross-Site Request Forgery (CSRF) vulnerability in Anthony WordPress SQL Backup wordpress-sql-backup allows Stored XSS.This issue affects WordPress SQL Backup: from n/a through <= 3.5.2.

Cross-Site Request Forgery (CSRF) vulnerability in Donald Gilbert WordPress Admin Bar Improved wordpress-admin-bar-improved allows Stored XSS.This issue affects WordPress Admin Bar Improved: from n/a through <= 3.3.5.

Cross-Site Request Forgery (CSRF) vulnerability in lucksy Typekit plugin for WordPress typekit allows Cross Site Request Forgery.This issue affects Typekit plugin for WordPress: from n/a through <= 1.2.3.

Cross-Site Request Forgery (CSRF) vulnerability in codedraft Mediabay - WordPress Media Library Folders allows Reflected XSS. This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4.

Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress list-posts-by-category allows Stored XSS.This issue affects List of Posts from each Category plugin for WordPress: from n/a through <= 2.0.

Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin wordpress-gallery-plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through <= 1.4.

Cross-Site Request Forgery (CSRF) vulnerability in jprintf CNZZ&51LA for WordPress cnzz51la-for-wordpress allows Cross Site Request Forgery.This issue affects CNZZ&51LA for WordPress: from n/a through <= 1.0.1.

Cross-Site Request Forgery (CSRF) vulnerability in Jan Štětina WordPress Logging Service wordpress-logging-service allows Stored XSS.This issue affects WordPress Logging Service: from n/a through <= 1.5.4.

Cross-Site Request Forgery (CSRF) vulnerability in marcucci Password Protect Plugin for WordPress password-protect-plugin-for-wordpress allows Stored XSS.This issue affects Password Protect Plugin for WordPress: from n/a through <= 0.8.1.0.

Cross-Site Request Forgery (CSRF) vulnerability in MD Abu Jubayer Hossain Easy Booked – Appointment Booking and Scheduling Management System for WordPress easy-booked allows Cross Site Request Forgery.This issue affects Easy Booked – Appointment Booking and Scheduling Management System for WordPress…

Cross-Site Request Forgery (CSRF) vulnerability in digitalzoomstudio Admin debug wordpress – enable debug dzs-enable-debug allows Cross Site Request Forgery.This issue affects Admin debug wordpress – enable debug: from n/a through <= 1.0.13.

The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forge…

The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site admi…

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settin…

The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unaut…

The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to …

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for una…

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin s…

The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to enab…

The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_c…

The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.20. This is due to missing or incorrect nonce validation on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_or…

The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup Duplicator …

Cross-Site Request Forgery (CSRF) vulnerability in mattwalters WordPress Filter wordpress-filter allows Stored XSS.This issue affects WordPress Filter: from n/a through <= 1.4.1.

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.

Cross-Site Request Forgery (CSRF) vulnerability in DarkMySite DarkMySite – Advanced Dark Mode Plugin for WordPress darkmysite allows Cross Site Request Forgery.This issue affects DarkMySite – Advanced Dark Mode Plugin for WordPress: from n/a through 1.2.8.

Cross-Site Request Forgery (CSRF) vulnerability in Noor Alam WordPress Image SEO allows Cross Site Request Forgery.This issue affects WordPress Image SEO: from n/a through 1.1.4.

Cross-Site Request Forgery (CSRF) vulnerability in WPBackItUp Backup and Restore WordPress.This issue affects Backup and Restore WordPress: from n/a through 1.50.

The Soccer Engine – Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation when saving match and team settings. This makes it possible for unauthenticated attackers …

The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to missing or incorrect nonce validation on the plugin's AJAX actions.. This makes it possible for unauthenticated attackers to create and du…

The Joli FAQ SEO – WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's…

Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress File Upload: from n/a through 4.24.7.

Cross-Site Request Forgery (CSRF) vulnerability in Internal Link Juicer Internal Link Juicer: SEO Auto Linker for WordPress.This issue affects Internal Link Juicer: SEO Auto Linker for WordPress: from n/a through 2.24.3.

Cross-Site Request Forgery (CSRF) vulnerability in Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin.This issue affects Vimeography: Vimeo Video Gallery WordPress Plugin: from n/a through 2.4.1.

Cross-Site Request Forgery (CSRF) vulnerability in Microkid Related Posts for WordPress allows Cross-Site Scripting (XSS).This issue affects Related Posts for WordPress: from n/a through 4.0.3.

The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to missing or incorrect nonce validation on the ajax_handle_delete_icons() function. This makes it possible for unauthentica…

Cross-Site Request Forgery (CSRF) vulnerability in Eyal Fitoussi GEO my WordPress.This issue affects GEO my WordPress: from n/a through 4.1.

Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Import any XML or CSV File to WordPress.This issue affects Import any XML or CSV File to WordPress: from n/a through 3.7.3.

Cross-Site Request Forgery (CSRF) vulnerability in Anton Aleksandrov WordPress Hosting Benchmark tool.This issue affects WordPress Hosting Benchmark tool: from n/a through 1.3.6.

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional, realmag777 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net.This issue affects WOLF – WordPress Posts Bulk Editor and Manager Professional: f…

Cross-Site Request Forgery (CSRF) vulnerability in Tooltip WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 9.5.3.

Cross-Site Request Forgery (CSRF) vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.5.

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF).This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.1.

Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress:…

Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; F…

Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filter_users functions. This makes it possible for unauthenticated attackers to elevate thei…

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers to update the f…

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory function. This makes it possible for unauthenticated attackers to clear categories vi…

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory function. This makes it possible for unauthenticated attackers to rename categories …

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory function. This makes it possible for unauthenticated attackers to delete categories …

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory function. This makes it possible for unauthenticated attackers to add categories via a …

The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for …

The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, them…

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes it possible for unauthen…

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on the wclearfy_cache_delete functionality . This makes i…

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.2. This is due to missing or incorrect nonce validation on the 'setup-wbcr_clearfy' page. This makes it possible …

The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it possible for unauthent…

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the save_groups_list function. This makes it possible for unauthen…

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esf_insta_save_access_token and efbl_save_facebook_access_toke…

The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the cs_menu page. This makes it possible for unauthenticated attackers to update settings a…

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.8. This is due to missing or incorrect nonce validation on the update_assistant, add_new_assistant, and delete_assistant functions. This makes it possible fo…

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This ma…

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_…

The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handle_create_link() function. This makes it possible for unauthenticated attackers to add related…

The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated …

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (Free). This is due to missing or incorrect nonce validation on the save_virtual_event_settings function. This makes it pos…

The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated at…

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.7 (for Free). This is due to missing or incorrect nonce validation on the evo_eventpost_update_meta function. This makes …

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin option…

Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin – Easy Listing Directories for WordPress allows Cross-Site Request Forgery.This issue affects Business Directory Plugin – Easy Listing Directories for WordPress: from n/a through 6.3.10.

Cross-Site Request Forgery (CSRF) vulnerability in Mihai Iova WordPress Knowledge base & Documentation Plugin – WP Knowledgebase plugin <= 1.3.4 versions.

The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX action…

Cross-Site Request Forgery (CSRF) vulnerability in WhiteWP White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard.This issue affects White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard: from n/a through 2.9.0.

Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18.

Cross-Site Request Forgery (CSRF) vulnerability in Duplicator Duplicator – WordPress Migration & Backup Plugin.This issue affects Duplicator – WordPress Migration & Backup Plugin: from n/a through 1.5.7.

Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.5.

Cross-Site Request Forgery (CSRF) vulnerability in LiveChat LiveChat – WP live chat plugin for WordPress.This issue affects LiveChat – WP live chat plugin for WordPress: from n/a through 4.5.15.

Cross-Site Request Forgery (CSRF) vulnerability in Gift Up Gift Up Gift Cards for WordPress and WooCommerce.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through 2.21.3.

Cross-Site Request Forgery (CSRF) vulnerability in Wap Nepal Delete Post Revisions In WordPress allows Cross Site Request Forgery.This issue affects Delete Post Revisions In WordPress: from n/a through 4.6.

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through 3.37.

Cross-Site Request Forgery (CSRF) vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin allows Cross Site Request Forgery.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.4.

Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Image Hover Effects – WordPress Plugin.This issue affects Image Hover Effects – WordPress Plugin: from n/a through 5.5.

Cross-Site Request Forgery (CSRF) vulnerability in WebberZone Top 10 – WordPress Popular posts by WebberZone plugin <= 3.3.2 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting WordPress Contact Forms by Cimatti plugin <= 1.6.0 versions.

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7.1 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Pixelative, Mohsin Rafique AMP WP – Google AMP For WordPress plugin <= 1.5.15 versions.

Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin – FooGallery plugin <= 2.2.44 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Realbig Team Realbig For WordPress plugin <= 1.0.3 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Jonk @ Follow me Darling Sp*tify Play Button for WordPress plugin <= 2.10 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Patreon Patreon WordPress.This issue affects Patreon WordPress: from n/a through 1.8.6.

Cross-Site Request Forgery (CSRF) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.7 versions.

Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage for WordPress plugin <= 1.3.39 versions.

Cross-Site Request Forgery (CSRF) vulnerability in WPMobilePack.Com WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps plugin <= 3.4.1 versions.

Cross-Site Request Forgery (CSRF) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Prem Tiwari Disable WordPress Update Notifications and auto-update Email Notifications plugin <= 2.3.3 versions.

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7 versions.

Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).

Cross-Site Request Forgery (CSRF) vulnerability in Web_Trendy WP Custom Cursors | WordPress Cursor Plugin plugin < 3.2 versions.

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions.

Cross-Site Request Forgery (CSRF) vulnerability in SuPlugins Superb Social Media Share Buttons and Follow Buttons for WordPress plugin <= 1.1.3 versions.

Cross-Site Request Forgery (CSRF) vulnerability in flippercode WordPress Plugin for Google Maps – WP MAPS (formerly WP Google Map Plugin) plugin <= 4.4.2 versions.

Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.10 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Tomas | Docs | FAQ | Premium Support WordPress Tooltips.This issue affects WordPress Tooltips: from n/a through 8.2.5.

Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Pagup WordPress Robots.Txt optimization plugin <= 1.4.5 versions.

Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions.

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to th…

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted t…

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to mod…

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userpro_save_userdata' function. This makes it possible for unauthenticated attackers to update the user meta and inject …

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcita_logout_callback function in versions up to, and including, 4.5. This makes it possible for unauthenticated to logout a vctia conn…

Cross-Site Request Forgery (CSRF) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions.

Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin WordPress Books Gallery plugin <= 4.4.8 versions.

Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Album Gallery – WordPress Gallery plugin <= 1.4.9 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Mr.Vibe vSlider Multi Image Slider for WordPress plugin <= 4.1.2 versions.

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the deleteCssAndJsCacheToolbar function. This makes it possible for unauthenticated attackers to perform cache deleti…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the deleteCacheToolbar function. This makes it possible for unauthenticated attackers to perform cache deletion via a…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_clear_cache_of_allsites_callback function. This makes it possible for unauthenticated attackers to clear cac…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_toolbar_save_settings_callback function. This makes it possible for unauthenticated attackers to change cach…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_remove_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers …

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_pause_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers t…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_start_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers t…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_purgecache_varnish_callback function. This makes it possible for unauthenticated attackers to purge the varn…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_preload_single_save_settings_callback function. This makes it possible for unauthenticated attackers to chan…

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_preload_single_callback function. This makes it possible for unauthenticated attackers to invoke a cache bui…

Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WordPress WP-Advanced-Search plugin <= 3.3.8 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin <= 3.98.7 versions.

Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from n/a through 1.4.2.

Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay – Square for WordPress plugin <= 4.1 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, josh401 WP CSV to Database – Insert CSV file content into WordPress plugin <= 2.6 versions.

Cross-Site Request Forgery (CSRF) vulnerability in WPManageNinja LLC Ninja Tables – Best Data Table Plugin for WordPress plugin <= 4.3.4 versions.

Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.

Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1.

Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro for WordPress - Interactive SVG Image Map Builder plugin < 5.6.9 versions.

Cross-Site Request Forgery (CSRF) vulnerability in GalleryPlugins Video Contest WordPress plugin <= 3.2 versions.

Cross-Site Request Forgery (CSRF) vulnerability in REST API Authentication plugin <= 2.4.0 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) in David Anderson Testimonial Slider plugin <= 1.3.1 on WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative Mail plugin <= 1.5.4 on WordPress.

Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemaps.

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.

Cross-Site Request Forgery (CSRF) vulnerability in Forms by CaptainForm – Form Builder for WordPress plugin <= 2.5.3 versions.

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.

Cross-Site Request Forgery (CSRF) vulnerability in Booster for WooCommerce plugin <= 5.6.6 on WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Viszt Péter's Integration for Szamlazz.hu & WooCommerce plugin <= 5.6.3.2 and Csomagpontok és szállítási címkék WooCommerce-hez plugin <= 1.9.0.2 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions.

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Store Locator plugin <= 1.4.5 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress.

Multiple Cross-Site Scripting (CSRF) vulnerabilities in SEO Redirection Plugin plugin <= 8.9 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Creative Mail plugin <= 1.5.4 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Rate my Post – WP Rating System plugin <= 3.3.4 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion.

Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change.

Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Podcasting plugin <= 2.16.0 at WordPress, leading to plugin settings change.

Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Page View Count plugin <= 2.5.5 on WordPress allows an attacker to reset the plugin settings.

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.

Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 404 errors and redirection history.

Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery plugin <= 3.28 leading to thumbnail alteration.

Cross-Site Request Forgery (CSRF) vulnerability in Kraken.io Image Optimizer plugin <= 2.6.5 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes WordPress Header Builder Plugin – Pearl plugin <= 1.3.4 versions.

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change.

Cross-Site Request Forgery (CSRF) vulnerability in Read more By Adam plugin <= 1.1.8 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability Backup Scheduler plugin <= 1.5.13 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Mantenimiento web plugin <= 0.13 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Alexey Trofimov's Access Code Feeder plugin <= 1.0.3 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza's Captcha Code plugin <= 2.7 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Mickey Kay's Better Font Awesome plugin <= 2.0.1 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Topdigitaltrends Mega Addons For WPBakery Page Builder plugin <= 4.2.7 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in CallRail, Inc. CallRail Phone Call Tracking plugin <= 0.4.9 at WordPress.

Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress.

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions.

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in YDS Support Ticket System plugin <= 1.0 at WordPress.

Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ЮKassa для WooCommerce plugin <= 2.3.0 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Simon Ward MP3 jPlayer plugin <= 2.7.3 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in GetResponse plugin <= 5.5.20 at WordPress.

Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key.

Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update.

Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page Widget plugin <= 3.9 on WordPress leading to plugin settings change.

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status change.

The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know…

Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions.

Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings.

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin settings.

Cross-Site Request Forgery (CSRF) vulnerability in Sucuri Security plugin <= 1.8.33 at WordPress leading to Event log entry creation.

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Private Messages For WordPress plugin <= 2.1.10 at WordPress allows attackers to send messages.

Cross-Site Request Forgery (CSRF) vulnerability in Image Slider by NextCode plugin <= 1.1.2 at WordPress allows deleting slides.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Image Slider by NextCode plugin <= 1.1.2 at WordPress.

Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code).

Cross-Site Request Forgery (CSRF) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress allows an attacker to delete or to turn on/off snippets.

Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.

Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery.

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress.

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, chang…

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress via &title parameter.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source.

Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress allows Plugin Settings Change.

Cross-Site Request Forgery (CSRF) in Use Any Font (WordPress plugin) <= 6.1.7 allows an attacker to deactivate the API key.

Cross-Site Request Forgery (CSRF) in Simple Ajax Chat (WordPress plugin) <= 20220115 allows an attacker to clear the chat log or delete a chat message.

Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to import templates.

Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to create or modify slider.

Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in Keywordrush Content Egg plugin <= 5.4.0 on WordPress.

Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion.

Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.7 allows an attacker to Sync with Zoom Meetings.

Cross-Site Request Forgery (CSRF) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers to trick authenticated users into unwanted slider duplicate or delete action.

Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3).

Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).

Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin (versions <= 3.4.4).

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media).

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin.

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog

The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

The Sideblog WordPress plugin through 6.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to t…

The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a…

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitra…

The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack

Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).

The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauth…

The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), c…

The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.17. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save manu…

The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.43. This is due to missing or incorrect nonce validation on the implecode_save_products_meta() function. This makes it possible for unauthenticate…

The WordPress Photo Gallery – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the load_images_thumbnail() and edit_gallery() functions. This makes it possible for unauthent…

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS) in CalderaWP License Manager (WordPress plugin) <= 1.2.11.

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.

Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.

Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.

The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting …

The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover…

The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.

The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack

The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link

The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (…

The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to e…

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as em…

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.

The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the …

The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE.

The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.

The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.

Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions.

The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.99. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative actions, such as addin…

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary…