Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-0393

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-14 Jan, 2025 | 08:23
Updated At-08 Apr, 2026 | 17:14
Rejected At-
Credits

Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:14 Jan, 2025 | 08:23
Updated At:08 Apr, 2026 | 17:14
Rejected At:
▼CVE Numbering Authority (CNA)
Royal Elementor Addons and Templates <= 1.7.1006 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Products
Vendor
Royal Elementor Addonswproyal
Product
Royal Addons for Elementor – Addons and Templates Kit for Elementor
Default Status
unaffected
Versions
Affected
  • From 0 through 1.7.1006 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Matthew Rollings
Timeline
EventDate
Disclosed2025-01-13 19:52:46
Event: Disclosed
Date: 2025-01-13 19:52:46
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e34c05-7431-4acd-91f3-aab5e66f61ad?source=cve
N/A
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L391
N/A
https://wordpress.org/plugins/royal-elementor-addons/#developers
N/A
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L1260
N/A
https://plugins.trac.wordpress.org/changeset/3220959/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e34c05-7431-4acd-91f3-aab5e66f61ad?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L391
Resource: N/A
Hyperlink: https://wordpress.org/plugins/royal-elementor-addons/#developers
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L1260
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3220959/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:14 Jan, 2025 | 09:15
Updated At:03 Mar, 2025 | 17:42

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches

Royal Elementor Addons
royal-elementor-addons
>>royal_elementor_addons>>Versions up to 1.7.1006(inclusive)
cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarysecurity@wordfence.com
CWE ID: CWE-352
Type: Primary
Source: security@wordfence.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L1260security@wordfence.com
Product
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L391security@wordfence.com
Product
https://plugins.trac.wordpress.org/changeset/3220959/security@wordfence.com
Patch
https://wordpress.org/plugins/royal-elementor-addons/#developerssecurity@wordfence.com
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e34c05-7431-4acd-91f3-aab5e66f61ad?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L1260
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1006/classes/modules/wpr-filter-grid-posts.php#L391
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/changeset/3220959/
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://wordpress.org/plugins/royal-elementor-addons/#developers
Source: security@wordfence.com
Resource:
Release Notes
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e34c05-7431-4acd-91f3-aab5e66f61ad?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

316Records found

CVE-2024-49629
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.16% / 5.33%
||
7 Day CHG~0.00%
Published-20 Oct, 2024 | 10:05
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Endless Posts Navigation plugin <= 2.2.7 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Fahad Mahmood Endless Posts Navigation endless-posts-navigation allows Stored XSS.This issue affects Endless Posts Navigation: from n/a through <= 2.2.7.

Action-Not Available
Vendor-androidbubblesFahad Mahmood
Product-endless_posts_navigationEndless Posts Navigation
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-4194
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.53%
||
7 Day CHG~0.00%
Published-17 May, 2025 | 03:24
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AlT Monitoring <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The AlT Monitoring plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'ALT_Monitoring_edit' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-alti5
Product-AlT Monitoring
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-4189
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.53%
||
7 Day CHG~0.00%
Published-17 May, 2025 | 03:24
Updated-08 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Audio Comments Plugin <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-naicuoctavian
Product-Audio Comments Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-21044
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 8.33%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 21:26
Updated-03 Dec, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-complex_maintenance_repair_and_overhaulComplex Maintenance, Repair, and Overhaul
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-30745
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 8.35%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-29 Jul, 2025 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle MES for Process Manufacturing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle MES for Process Manufacturing accessible data as well as unauthorized read access to a subset of Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-mes_for_process_manufacturingOracle MES for Process Manufacturing
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-30756
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.13% / 2.66%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-16 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in Oracle REST Data Services (component: General). The supported version that is affected is 24.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data as well as unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-Oracle REST Data Services
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-3099
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 7.53%
||
7 Day CHG+0.01%
Published-02 Apr, 2025 | 09:21
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Search by My Solr Server <= 2.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Advanced Search by My Solr Server plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the 'MySolrServerSettings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-dbejean
Product-Advanced Search by My Solr Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-30746
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 8.35%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-22 Jul, 2025 | 02:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iStore accessible data as well as unauthorized read access to a subset of Oracle iStore accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-Oracle iStore
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-49220
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.16% / 5.22%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 18:05
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Cookie Scanner plugin <= 1.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Nikel Cookie Scanner cookie-scanner allows Cross Site Request Forgery.This issue affects Cookie Scanner: from n/a through <= 1.1.

Action-Not Available
Vendor-cookie-scannerNikel
Product-cookie_scannerCookie Scanner
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18677
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-7.24% / 93.58%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 16:21
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

Action-Not Available
Vendor-n/aSquid CacheCanonical Ltd.Fedora Project
Product-ubuntu_linuxsquidfedoran/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-11203
Matching Score-4
Assigner-TIBCO Software Inc.
ShareView Details
Matching Score-4
Assigner-TIBCO Software Inc.
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.11%
||
7 Day CHG~0.00%
Published-24 Apr, 2019 | 20:20
Updated-16 Sep, 2024 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TIBCO ActiveMatrix BPM Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities

The workspace client, openspace client, app development client, and REST API of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain cross site scripting (XSS) and cross-site request forgery vulnerabilities. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1.

Action-Not Available
Vendor-TIBCO (Cloud Software Group, Inc.)
Product-activematrix_business_process_managementsilver_fabric_enablerTIBCO ActiveMatrix BPM Distribution for TIBCO Silver FabricTIBCO Silver Fabric Enabler for ActiveMatrix BPMTIBCO ActiveMatrix BPM
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-28857
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.14% / 4.00%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:00
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rankchecker.io Integration plugin <= 1.0.9 - CSRF to Stored Cross Site Scripting (XSS) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in rankchecker Rankchecker.io Integration rankchecker-io-integration allows Stored XSS.This issue affects Rankchecker.io Integration: from n/a through <= 1.0.9.

Action-Not Available
Vendor-rankcheckerrankchecker
Product-rankcheckerRankchecker.io Integration
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8906
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.10%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:45
Updated-27 May, 2026 | 10:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-rahulbhangale
Product-WP Promoter
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-28861
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.14% / 4.00%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:00
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP jQuery Persian Datepicker plugin <= 0.1.0 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0.

Action-Not Available
Vendor-bhzadbhzad
Product-wp_jquery_persian_datepickerWP jQuery Persian Datepicker
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8910
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.17%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:41
Updated-09 Jun, 2026 | 14:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Emoticon Rating <= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-rahulbhangale
Product-WP Emoticon Rating
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8907
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.10%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 03:41
Updated-09 Jun, 2026 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values — particularly zoom-level — are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-rahulbhangale
Product-WP-Ultimate-Map
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8905
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.30%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 05:33
Updated-25 Jun, 2026 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'prepend_text' Parameter

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-osiris8
Product-Osiris Signature Banner
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8911
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 4.11%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 05:31
Updated-27 May, 2026 | 10:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP AutoBuzz <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'googleAccount' Parameter

The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This vulnerability bypasses WordPress's DISALLOW_UNFILTERED_HTML protection because the unsanitized value is written directly via update_option at the plugin level, entirely outside of WordPress post content handling.

Action-Not Available
Vendor-godlessons
Product-WP AutoBuzz
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-7561
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.17%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 07:48
Updated-12 May, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-tienrocker
Product-Tm – WordPress Redirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-28860
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.14% / 4.00%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 21:00
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Google News Editors Picks Feed Generator plugin <= 2.1 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator: from n/a through <= 2.1.

Action-Not Available
Vendor-ppdpurveyorPPDPurveyor
Product-google_news_editors_picks_feed_generatorGoogle News Editors Picks Feed Generator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-11193
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-2.09% / 79.38%
||
7 Day CHG~0.00%
Published-30 Apr, 2019 | 18:36
Updated-16 Dec, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.

Action-Not Available
Vendor-directadminn/a
Product-directadminn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8420
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 7.06%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 01:25
Updated-20 May, 2026 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BLOGCHAT Chat System <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update

The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-rdbeach
Product-BLOGCHAT Chat System
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-6391
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 7.06%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 01:25
Updated-20 May, 2026 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters

The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create_admin_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-eazyserver
Product-Sentence To SEO (keywords, description and tags)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-29436
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.7||MEDIUM
EPSS-0.36% / 27.86%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 19:51
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Persistent Cross-Site Scripting (XSS)

Persistent Cross-Site Scripting (XSS) vulnerability in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery (vulnerable parameters &title, &snippet_code).

Action-Not Available
Vendor-code_snippets_extended_projectAlexander Stokmann
Product-code_snippets_extendedCode Snippets Extended (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6395
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 4.84%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 01:25
Updated-20 May, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.

Action-Not Available
Vendor-winking
Product-Word 2 Cash
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-48057
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 8.99%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-04 Sep, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.

Action-Not Available
Vendor-mudlern/amudler
Product-localain/alocalai
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25160
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.14% / 3.34%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:11
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Style Tweaker plugin <= 0.11 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Mark Barnes Style Tweaker style-tweaker allows Stored XSS.This issue affects Style Tweaker: from n/a through <= 0.11.

Action-Not Available
Vendor-markbarnesMark Barnes
Product-style_tweakerStyle Tweaker
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-25168
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.14% / 3.58%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:12
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BookPress – For Book Authors Plugin <= 1.2.7 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.

Action-Not Available
Vendor-blackandwhitedigitalBlack and White
Product-bookpressBookPress – For Book Authors
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-25166
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.12% / 2.47%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 10:12
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress InLocation plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in gabrieldarezzo InLocation inlocation allows Stored XSS.This issue affects InLocation: from n/a through <= 1.8.

Action-Not Available
Vendor-gabrieldarezzogabrieldarezzo
Product-inlocationInLocation
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-23639
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.16% / 5.80%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 20:06
Updated-28 Apr, 2026 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MDC YouTube Downloader plugin <= 3.0.0 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader mdc-youtube-downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through <= 3.0.0.

Action-Not Available
Vendor-mdc_youtube_downloader_projectNazmul Ahsan
Product-mdc_youtube_downloaderMDC YouTube Downloader
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-21513
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 9.16%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 20:53
Updated-17 Mar, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-jd_edwards_enterpriseone_toolsJD Edwards EnterpriseOne Tools
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1798
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.16% / 5.37%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 Jan, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Design Comuni Italia < 1.1.2 - Unauthenticated Stored XSS

The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-italiaUnknown
Product-design_comuni_italiadesign-comuni-wordpress-theme
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13365
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.42%
||
7 Day CHG~0.00%
Published-20 Dec, 2025 | 03:20
Updated-08 Apr, 2026 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting.

Action-Not Available
Vendor-tikolan
Product-WP Hallo Welt
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-47790
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.21% / 10.89%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 23:27
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Pz-LinkCard Plugin <= 2.4.8 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in Poporon Pz-LinkCard plugin <= 2.4.8 versions.

Action-Not Available
Vendor-popozurePoporon
Product-pz-linkcardPz-LinkCard
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-13621
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.49%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 05:31
Updated-08 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dream gallery <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'dreampluginsmain' AJAX Action

The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-teamdream
Product-dream gallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12406
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.49%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 08:27
Updated-08 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Project Honey Pot Spam Trap <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-awensley
Product-Project Honey Pot Spam Trap
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12590
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.13% / 2.66%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 03:30
Updated-08 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-andreaferracani
Product-YSlider
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13134
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 1.01%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 07:31
Updated-08 Apr, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AuthorSure <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The AuthorSure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the 'authorsure' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-powerblogservice
Product-AuthorSure
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12402
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.88%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinkedIn Resume <= 2.00 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-bondnono
Product-LinkedIn Resume
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12416
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.51%
||
7 Day CHG+0.01%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pagerank Tools <= 1.1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.

Action-Not Available
Vendor-mahype
Product-Pagerank tools
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12400
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.88%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LMB^Box Smileys <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-lmbbox
Product-LMB^Box Smileys
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12415
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.88%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 04:27
Updated-08 Apr, 2026 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MapMap <= 1.1 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-sugiartha
Product-MapMap
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12452
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 1.71%
||
7 Day CHG+0.01%
Published-04 Nov, 2025 | 04:27
Updated-04 Nov, 2025 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visit Counter 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-bestiadurmiente
Product-Visit Counter
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12589
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.13% / 3.00%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 03:30
Updated-08 Apr, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-baronen
Product-WP-Walla
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12401
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.14% / 3.88%
||
7 Day CHG+0.02%
Published-04 Nov, 2025 | 03:26
Updated-08 Apr, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Label Plugins <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-theode
Product-Label Plugins
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12404
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 2.50%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 08:27
Updated-08 Apr, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Like-it <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-nikolayyordanov
Product-Like-it
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-45527
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 8.30%
||
7 Day CHG~0.00%
Published-02 Sep, 2024 | 00:00
Updated-30 Apr, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.

Action-Not Available
Vendor-vanderbiltn/aredcap
Product-redcapn/aredcap
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-44064
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.17% / 6.97%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 22:35
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Like Button Rating LikeBtn plugin <= 2.6.53 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LikeBtn Like Button Rating likebtn-like-button.This issue affects Like Button Rating: from n/a through <= 2.6.53.

Action-Not Available
Vendor-likebtnLikeBtn
Product-like_button_ratingLike Button Rating
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-2324
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 0.84%
||
7 Day CHG~0.00%
Published-11 Mar, 2026 | 01:22
Updated-22 Apr, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-latepoint
Product-LatePoint – Calendar Booking Plugin for Appointments and Events
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-43339
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 5.36%
||
7 Day CHG~0.00%
Published-26 Aug, 2024 | 20:24
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Webinar Plugin – WebinarPress plugin <= 1.33.20 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WebinarPress allows Cross-Site Scripting (XSS).This issue affects WebinarPress: from n/a through 1.33.20.

Action-Not Available
Vendor-webinarpressWebinarPress
Product-webinarpressWebinarPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found