Skip to main content
CVE-2025-15483 MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1254 MEDIUM This Month

The Modula Image Gallery plugin for WordPress through version 2.13.6 fails to properly validate REST API permissions, allowing authenticated contributors and higher-privileged users to modify arbitrary post content by manipulating post IDs in API requests. Attackers can update titles, excerpts, and body content of posts they do not own, potentially leading to unauthorized content modification or injection attacks. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2022 MEDIUM This Month

WordPress Smart Forms plugin through version 2.6.99 fails to validate user permissions on the 'rednao_smart_forms_get_campaigns' AJAX action, allowing authenticated subscribers and higher-privileged users to retrieve sensitive donation campaign data. An attacker with basic WordPress account access can enumerate campaign IDs and names without proper authorization. A patch is not currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14873 MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14852 MEDIUM This Month

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1394 MEDIUM This Month

The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1983 MEDIUM This Month

Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2312 MEDIUM This Month

Authenticated users with Author-level privileges in WordPress Media Library Folders plugin (versions up to 8.3.6) can delete or rename arbitrary attachments belonging to other users through insufficient validation in the delete_maxgalleria_media() and maxgalleria_rename_image() functions. The rename operation also destroys all postmeta associated with target attachments, resulting in permanent data loss. No patch is currently available.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy