Total
9090 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1785 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. | |||||
| CVE-2026-1745 | 1 Oretnom23 | 1 Medical Certificate Generator App | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-1644 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1508 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2026-1468 | 2026-06-17 | N/A | N/A | ||
| QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2026-1455 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1447 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. | |||||
| CVE-2026-1398 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1394 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1380 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1377 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1215 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1208 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-1169 | 1 Birkir | 1 Prime | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-1165 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | |||||
| CVE-2026-1153 | 1 Technical-laohu | 1 Mpay | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | |||||
| CVE-2026-1148 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | |||||
| CVE-2026-1142 | 1 Phpgurukul | 1 News Portal | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2026-1128 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | |||||
| CVE-2026-1088 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||