Total
8616 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-0088 | 1 Swifty Page Manager Project | 1 Swifty Page Manager | 2025-01-13 | 8.8 High |
| The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-3568 | 1 Orangelab | 1 Imagemagick Engine | 2025-01-13 | 8.8 High |
| The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | ||||
| CVE-2023-1029 | 1 Joomunited | 1 Wp Meta Seo | 2025-01-13 | 4.3 Medium |
| The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1472 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2025-01-13 | 6.3 Medium |
| The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Actions include resetting the API key, accessing or deleting log files, and deleting cache among others. | ||||
| CVE-2023-1923 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_remove_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers to change cdn settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2528 | 1 Supsystic | 1 Contact Form | 2025-01-13 | 5.4 Medium |
| The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2608 | 1 Themeisle | 1 Multiple Page Generator | 2025-01-13 | 3.1 Low |
| The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries leading to resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. Version 3.3.18 addresses the SQL Injection, which drastically reduced the severity. | ||||
| CVE-2023-2736 | 1 Groundhogg | 1 Groundhogg | 2025-01-13 | 7.5 High |
| The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode and then modify the assigned user to the auto login link to elevate verified user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2717 | 1 Groundhogg | 1 Groundhogg | 2025-01-13 | 5.4 Medium |
| The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other plugins, via a forged request if they can successfully trick an administrator into performing an action such as clicking on a link. A warning message about safe mode is displayed to the admin, which can be easily disabled. | ||||
| CVE-2023-2549 | 1 Featherplugins | 1 Feather Login Page | 2025-01-13 | 8.8 High |
| The Feather Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions starting from 1.0.7 up to, and including, 1.1.1. This is due to missing nonce validation in the 'createTempAccountLink' function. This makes it possible for unauthenticated attackers to create a new user with administrator role via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can leverage CVE-2023-2545 to get the login link or request a password reset to the new user's email address. | ||||
| CVE-2022-30544 | 1 Hyumika | 1 Openstreetmap | 2025-01-13 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) in MiKa's OSM – OpenStreetMap plugin <= 6.0.1 versions. | ||||
| CVE-2022-36401 | 1 Standalonetech | 1 Terawallet | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in TeraWallet – For WooCommerce plugin <= 1.3.24 versions. | ||||
| CVE-2022-44585 | 1 Magneticlab | 1 Homepage Pop-up | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Magneticlab Sàrl Homepage Pop-up plugin <= 1.2.5 versions. | ||||
| CVE-2022-40692 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions. | ||||
| CVE-2022-45067 | 1 Devscred | 1 Exclusive Addons For Elementor | 2025-01-13 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in DevsCred Exclusive Addons Elementor plugin <= 2.6.1 versions. | ||||
| CVE-2022-45807 | 1 Wpvibes | 1 Wp Mail Log | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) in WPVibes WP Mail Log plugin <= 1.0.1 versions. | ||||
| CVE-2022-46815 | 1 Wptrio | 1 Conditional Shipping For Woocommerce | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Lauri Karisola / WP Trio Conditional Shipping for WooCommerce plugin <= 2.3.1 versions. | ||||
| CVE-2022-46842 | 1 Wiselyhub | 1 Js Help Desk | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions. | ||||
| CVE-2022-27628 | 1 Wzone Project | 1 Wzone | 2025-01-13 | 4.7 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WZone – Lite Version plugin 3.1 Lite versions. | ||||
| CVE-2022-41620 | 1 Seosamba | 1 Seosamba | 2025-01-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions. | ||||