Skip to main content
CVE-2025-9129 MEDIUM This Month

The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9080 MEDIUM This Month

The Generic Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget fields in version 1.2.4 and earlier. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8776 MEDIUM This Month

The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icol’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-10192 MEDIUM This Month

The WP Photo Effects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wppe_effect' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-10165 MEDIUM This Month

The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11241 MEDIUM This Month

The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-7825 MEDIUM This Month

The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Deserialization Information Disclosure PHP WordPress
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-53354 MEDIUM PATCH This Month

NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.

XSS Python
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-9884 MEDIUM This Month

The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-61589 MEDIUM PATCH This Month

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7.

Information Disclosure Cursor
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-10609 MEDIUM PATCH This Month

Use of Hard-coded Credentials vulnerability in Logo Software Inc. TigerWings ERP allows Read Sensitive Constants Within an Executable.This issue affects TigerWings ERP: from 01.01.00 before 3.03.00.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-9372 MEDIUM This Month

The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

XSS WordPress PHP
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9333 MEDIUM This Month

The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

XSS WordPress PHP
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9332 MEDIUM This Month

The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

XSS WordPress PHP
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-61681 MEDIUM PATCH This Month

KUNO CMS is a fully deployable full-stack blog application. Versions 1.3.13 and below contain validation flaws in its file upload functionality that can be exploited for stored XSS. The upload endpoint only validates file types based on Content-Type headers, lacks file content analysis and extension whitelist restrictions, allowing attackers to upload SVG files containing malicious scripts (disguised as images). When users access the uploaded resource pages, arbitrary JavaScript executes in their browsers. This issue is fixed in version 1.3.14.

XSS File Upload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10212 MEDIUM This Month

CVE-2025-10212 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass PHP WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-9892 MEDIUM This Month

The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-52866 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52862 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52860 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52859 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52858 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52857 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52855 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52854 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52853 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52433 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52432 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later and later QuTS hero h5.2.6.3195 build 20250715 and later QuTS hero h5.3.0.3192 build 20250716 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52428 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52427 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52424 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-48729 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-48728 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-48727 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-48726 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Qts Quts Hero
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-47214 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-47213 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Denial Of Service Qnap Null Pointer Dereference Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-47211 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Qnap Path Traversal Quts Hero Qts
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-27231 MEDIUM PATCH This Month

The LDAP 'Bind password' value cannot be read after saving, but a Super Admin account can leak it by changing LDAP 'Host' to a rogue LDAP server. To mitigate this, the 'Bind password' value is now reset on 'Host' change.

Information Disclosure Ubuntu Debian Zabbix Suse
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-52654 MEDIUM This Month

HCL MyXalytics v6.6 is affected by an HTML Injection. This issue occurs when untrusted input is included in the output without proper handling, potentially allowing unauthorized content injection and manipulation.

XSS Dryice Myxalytics
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-10053 MEDIUM This Month

The TableGen - Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

XSS WordPress PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-9194 MEDIUM This Month

A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49641 MEDIUM PATCH This Month

A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.

Authentication Bypass Ubuntu Debian Zabbix Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9945 MEDIUM This Month

The Optimize More! - CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9897 MEDIUM This Month

The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modify background sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9895 MEDIUM This Month

The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9889 MEDIUM This Month

The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind their own ContentMX connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9885 MEDIUM This Month

The MPWizard - Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-10311 MEDIUM This Month

The Comment Info Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing nonce validation on the options.php file when handling form submissions. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-10309 MEDIUM This Month

The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and modify PayPal payment settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy