Total
8462 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1208 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1070 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14630 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13205 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1081 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13194 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1075 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1076 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14906 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1088 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13139 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
| The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-33680 | 1 Mainwp | 1 Mainwp Child Reports | 2026-01-23 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.This issue affects MainWP Child Reports: from n/a through 2.1.1. | |||||
| CVE-2024-31272 | 1 Reputeinfosystems | 1 Arforms Form Builder | 2026-01-23 | N/A | 6.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1. | |||||
| CVE-2024-9450 | 1 Syntacticsinc | 1 Easync | 2026-01-23 | N/A | 6.5 MEDIUM |
| The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack | |||||
| CVE-2021-24767 | 1 Wpvibes | 1 Redirect 404 Error Page To Homepage Or Custom Page With Logs | 2026-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2024-8047 | 1 Freakingwildchild | 1 Visual Sound | 2026-01-23 | N/A | 6.5 MEDIUM |
| The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-7859 | 1 Freakingwildchild | 1 Visual Sound | 2026-01-23 | N/A | 6.5 MEDIUM |
| The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2025-58576 | 1 Groupsession | 1 Groupsession | 2026-01-23 | N/A | 4.3 MEDIUM |
| Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may be performed. | |||||
| CVE-2025-39351 | 1 Themegoods | 1 Grand Restaurant | 2026-01-22 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Restaurant WordPress allows Cross Site Request Forgery.This issue affects Grand Restaurant WordPress: from n/a through 7.0. | |||||
| CVE-2024-32107 | 1 Xlplugins | 1 Finale | 2026-01-22 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in XLPlugins Finale Lite.This issue affects Finale Lite: from n/a through 2.18.0. | |||||