Total
9182 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5772 | 1 Bowo | 1 Debug Log Manager | 2026-04-08 | 4.3 Medium |
| The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the clear_log() function. This makes it possible for unauthenticated attackers to clear the debug log via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-4924 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2026-04-08 | 5.4 Medium |
| The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products. | ||||
| CVE-2024-12545 | 1 Appsmav | 1 Scratch \& Win | 2026-04-08 | 5.4 Medium |
| The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-3331 | 2 Chuckmo, Wordpress | 2 Lobot Slider Administrator, Wordpress | 2026-04-08 | 4.3 Medium |
| The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plugin slider-page configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-4923 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2026-04-08 | 5.4 Medium |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_delete function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-12385 | 1 Kevonadonis | 1 Wp Abstracts | 2026-04-08 | 6.1 Medium |
| The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing nonce validation on the wpabstracts_load_status() and wpabstracts_delete_abstracts() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-13682 | 2 Wordpress, Wpswings | 2 Wordpress, Wallet System For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1644 | 2 Glowlogix, Wordpress | 2 Wp Frontend Profile, Wordpress | 2026-04-08 | 4.3 Medium |
| The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2599 | 1 Miniorange | 1 Active Directory Integration \/ Ldap Integration | 2026-04-08 | 3.1 Low |
| The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to cause resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1392 | 2 Superrishi, Wordpress | 2 Sr Wp Minify Html, Wordpress | 2026-04-08 | 4.3 Medium |
| The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0808 | 1 Wp-property-hive | 1 Houzez Property Feed | 2026-04-08 | 4.3 Medium |
| The Houzez Property Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.21. This is due to missing or incorrect nonce validation on the "deleteexport" action. This makes it possible for unauthenticated attackers to delete property feed exports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-11641 | 1 Vikwp | 1 Vikbooking Hotel Booking Engine \& Pms | 2026-04-08 | 8.8 High |
| The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-10593 | 1 Wpforms | 1 Wpforms | 2026-04-08 | 4.3 Medium |
| The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-0790 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2026-04-08 | 5.4 Medium |
| The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request. | ||||
| CVE-2026-2494 | 2 Metagauss, Wordpress | 2 Profilegrid – User Profiles, Groups And Communities, Wordpress | 2026-04-08 | 4.3 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-9598 | 1 Magazine3 | 1 Amp For Wp | 2026-04-08 | 8.8 High |
| The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.99.1. This is due to missing or incorrect nonce validation on the 'proxy' function. This makes it possible for unauthenticated attackers to send the logged in user's cookies to their own server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2001 | 1 Devrix | 1 Dx Share Selection | 2026-04-08 | 8.8 High |
| The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-13647 | 1 Themesawesome | 1 Sakolawp | 2026-04-08 | 4.3 Medium |
| The School Management System – SakolaWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the 'save_exam_setting' and 'delete_exam_setting' actions. This makes it possible for unauthenticated attackers to update exam settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-3332 | 2 Wordpress, Xhanch Studio | 2 Wordpress, Xhanch – My Advanced Settings | 2026-04-08 | 4.3 Medium |
| The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Settings that can be modified include favicon URL, Google Analytics account ID, and various WordPress behavior toggles. The `favicon_url` and `ga_acc_id` values are output on the front-end without escaping, enabling a CSRF to Stored XSS chain. | ||||
| CVE-2024-13707 | 1 Ivanm | 1 Wp Image Uploader | 2026-04-08 | 8.8 High |
| The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the gky_image_uploader_main_function() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||