Monthly
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.
Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.
Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.
Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.
Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.
Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.
Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.
Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.
Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.
Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.
Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.
Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.
Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.