Skip to main content
CVE-2026-1191 MEDIUM This Month

Stored cross-site scripting in the JavaScript Notifier WordPress plugin through version 1.2.8 allows administrators to inject malicious scripts into website pages due to improper input sanitization in plugin settings. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. This requires administrator-level access to exploit but affects all website visitors who view the compromised pages.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1302 MEDIUM This Month

Stored XSS in Meta-box GalleryMeta plugin through WordPress admin settings allows authenticated editors and higher-privileged users to inject malicious scripts that execute for site visitors, affecting only multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in plugin versions up to 3.0.1, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1084 MEDIUM This Month

Cookie consent for developers (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15516 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0687 MEDIUM This Month

The Meta Box GalleryMeta WordPress plugin through version 3.0.1 fails to enforce proper capability checks on the 'mb_gallery' custom post type, allowing authenticated users with Author-level or higher privileges to create and publish galleries without authorization. This insufficient access control could enable low-privileged attackers to modify gallery content and bypass intended editorial workflows.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14907 MEDIUM This Month

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13194 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13139 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1088 MEDIUM This Month

WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14906 MEDIUM This Month

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1208 MEDIUM This Month

Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14630 MEDIUM This Month

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13205 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1081 MEDIUM This Month

Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1076 MEDIUM This Month

The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1075 MEDIUM This Month

The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1070 MEDIUM PATCH This Month

The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.

WordPress CSRF Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14903 MEDIUM This Month

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0633 LOW Monitor

The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minu...

WordPress Information Disclosure
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-24474 This Week

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied.

RCE Code Injection
NVD GitHub
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy