CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2111 – WP Headers And Footers <= 3.1.1 - Cross-Site Request Forgery to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-2111
18 Apr 2025 — The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for... • https://plugins.trac.wordpress.org/browser/wp-headers-and-footers/trunk/lib/wpb-sdk/views/wpb-debug.php#L63 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1764 – LoginPress <= 3.3.1 - Cross-Site Request Forgery to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-1764
13 Mar 2025 — The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to upd... • https://plugins.svn.wordpress.org/loginpress/trunk/lib/wpb-sdk/views/wpb-debug.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1809 – Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) <= 5.2.3 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-1809
29 Apr 2024 — The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain certain sensitive information related to plugin settings. El complemento Analytify – Google Analytics Dashboard para WordPress (GA4 Ana... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072410%40wp-analytify%2Ftrunk&old=3024819%40wp-analytify%2Ftrunk&sfp_email=&sfph_mail= • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1584 – Analytify <= 5.2.1 - Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification
https://notcve.org/view.php?id=CVE-2024-1584
26 Apr 2024 — The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpa_check_authentication' function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to modify the site's Google Analytics tracking ID. El complemento Analytify – Google Analytics Dashboard para WordPress (GA4 Analytics made easy) para WordPress es vulnerable a modif... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3072410%40wp-analytify&new=3072410%40wp-analytify&sfp_email=&sfph_mail= • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •