Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-6064 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP URL Shortener plugin for WordPress, specifically all versions up to and including 1.2. The vulnerability arises from missing or incorrect nonce validation on the 'url_shortener_settings' page. Nonces are security tokens used to verify that requests to change settings originate from legitimate users and not from forged requests. Due to this flaw, an unauthenticated attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), allows the attacker to update plugin settings. This can lead to the injection of malicious web scripts, potentially enabling further attacks such as persistent cross-site scripting (XSS), redirecting users to malicious sites, or compromising site integrity. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based (remote), requires no privileges, but does require user interaction (the administrator must be tricked into clicking a crafted link). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to CSRF attacks. Given the widespread use of WordPress and the popularity of URL shortener plugins for managing links, this vulnerability poses a tangible risk to websites using this plugin, especially those with multiple administrators or high traffic where social engineering attacks are more feasible.

Detailed information about CVE-2025-6064: CWE-352 Cross-Site Request Forgery (CSRF) in djerba WP URL Shortener affecting djerba WP URL Shortener. Get real-time 

CVE-2025-6064: CWE-352 Cross-Site Request Forgery (CSRF) in djerba WP URL Shortener - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6064: CWE-352 Cross-Site Request Forgery (CSRF) in djerba WP URL Shortener

The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-6063 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the XiSearch bar plugin for WordPress, developed by dmitry78. This vulnerability exists in all versions up to and including 2.6 due to missing or incorrect nonce validation on the 'xisearch-key-config' administrative page. Nonces are security tokens used to verify that requests made to a web application are intentional and originate from authenticated users. The absence or improper implementation of nonce validation allows an attacker to craft malicious requests that can be executed by an authenticated administrator if they are tricked into clicking a specially crafted link or visiting a malicious webpage. Exploiting this vulnerability, an unauthenticated attacker can update plugin settings and inject malicious web scripts, potentially leading to persistent cross-site scripting (XSS) or other malicious behaviors. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The vector details (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) show that the attack can be performed remotely over the network with low attack complexity, requires no privileges but does require user interaction (an admin clicking a link), and impacts confidentiality and integrity with a scope change, but does not affect availability. No known exploits are reported in the wild as of the publication date (June 14, 2025). The vulnerability is categorized under CWE-352, which is a common web security weakness related to CSRF attacks. Since the plugin is a WordPress component, it is likely widely used in various WordPress deployments, especially those that rely on the XiSearch bar for enhanced search functionality. The attack targets administrative users, meaning successful exploitation could compromise site configuration and potentially lead to further compromise via script injection.

Detailed information about CVE-2025-6063: CWE-352 Cross-Site Request Forgery (CSRF) in dmitry78 XiSearch bar affecting dmitry78 XiSearch bar. Get real-time upda

CVE-2025-6063: CWE-352 Cross-Site Request Forgery (CSRF) in dmitry78 XiSearch bar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6063: CWE-352 Cross-Site Request Forgery (CSRF) in dmitry78 XiSearch bar

The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-6062 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Yougler Blogger Profile Page plugin for WordPress, developed by netlatch. This vulnerability affects all versions up to and including v1.01. The root cause is the absence or incorrect implementation of nonce validation on the 'yougler-plugin.php' page, which is responsible for handling plugin settings updates. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third-party sites. Without proper nonce validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (for example, by clicking a malicious link), can alter the plugin's settings without the administrator's consent or knowledge. The vulnerability requires user interaction (the administrator must be tricked into clicking a link) but does not require any prior authentication by the attacker. The CVSS v3.1 base score is 4.3 (medium severity), with an attack vector of network (remote), low attack complexity, no privileges required, user interaction required, unchanged scope, no impact on confidentiality or availability, but a low impact on integrity due to unauthorized modification of plugin settings. No known exploits are currently reported in the wild, and no patches have been released at the time of this analysis. Given that the plugin is a WordPress extension, the vulnerability potentially affects any WordPress site using this plugin, especially those with administrators who have the ability to modify plugin settings. The attack could lead to unauthorized changes in plugin behavior, potentially enabling further exploitation or disruption of site functionality.

Detailed information about CVE-2025-6062: CWE-352 Cross-Site Request Forgery (CSRF) in netlatch Yougler Blogger Profile Page affecting netlatch Yougler Blogger 

CVE-2025-6062: CWE-352 Cross-Site Request Forgery (CSRF) in netlatch Yougler Blogger Profile Page - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6062: CWE-352 Cross-Site Request Forgery (CSRF) in netlatch Yougler Blogger Profile Page

The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-6055 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Zen Sticky Social plugin for WordPress, developed by bogdanding. This vulnerability exists in all versions up to and including version 0.3 due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. Nonces are security tokens used to verify that requests made to a web application are intentional and originate from authenticated users. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft malicious requests that, when executed by an authenticated site administrator (for example, by clicking a specially crafted link), can update plugin settings and inject malicious scripts into the website. This can lead to unauthorized changes in the plugin configuration and potential cross-site scripting (XSS) attacks, which may compromise the integrity and confidentiality of the site. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based (remote), requires no privileges, but does require user interaction (the administrator must be tricked into clicking a malicious link). The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is classified under CWE-352, which specifically relates to CSRF issues where attackers exploit the trust a site has in a user's browser to perform unauthorized actions.

Detailed information about CVE-2025-6055: CWE-352 Cross-Site Request Forgery (CSRF) in bogdanding Zen Sticky Social affecting bogdanding Zen Sticky Social. Get 

CVE-2025-6055: CWE-352 Cross-Site Request Forgery (CSRF) in bogdanding Zen Sticky Social - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6055: CWE-352 Cross-Site Request Forgery (CSRF) in bogdanding Zen Sticky Social

The AI Image Lab – Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-4592 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress plugin 'AI Image Lab – Free AI Image Generator' developed by aspengrovestudios. This vulnerability exists in all versions up to and including 1.0.6 due to missing or incorrect nonce validation on the 'wpz-ai-images' administrative page. Nonces in WordPress are security tokens used to verify that requests come from legitimate users and not from forged sources. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can update the plugin's API key without the administrator's consent. This attack does not require the attacker to be authenticated, but it does require user interaction from an administrator, making it a UI:R (User Interaction Required) vulnerability. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the impact is limited to integrity (modification of the API key) without affecting confidentiality or availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and scope unchanged (S:U). There are no known exploits in the wild as of the publication date, and no patches have been released yet. The vulnerability could allow an attacker to replace the legitimate API key with a malicious one, potentially redirecting plugin functionality or data to attacker-controlled services, which could lead to further compromise depending on the API's role and permissions. However, the vulnerability does not directly expose sensitive data or disrupt service availability.

Detailed information about CVE-2025-4592: CWE-352 Cross-Site Request Forgery (CSRF) in aspengrovestudios AI Image Lab – Free AI Image Generator affecting aspeng

CVE-2025-4592: CWE-352 Cross-Site Request Forgery (CSRF) in aspengrovestudios AI Image Lab – Free AI Image Generator - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-4592: CWE-352 Cross-Site Request Forgery (CSRF) in aspengrovestudios AI Image Lab – Free AI Image Generator

The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-6059 is a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 2.27.21 of the Seraphinite Accelerator plugin for WordPress, developed by seraphinitesoft. The vulnerability arises from missing or incorrect nonce validation in the 'OnAdminApi_CacheOpBegin' function. Nonces in WordPress are security tokens used to verify that requests intended to perform sensitive actions originate from legitimate users and not from malicious third parties. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a webpage), triggers administrative actions without the administrator's explicit consent. Specifically, this vulnerability enables unauthenticated attackers to perform several administrative operations, including deleting the cache, which could disrupt site performance or availability. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (the administrator must be tricked into executing the malicious request). The impact on confidentiality is none, integrity impact is low (due to unauthorized administrative actions), and availability impact is none. No known exploits are currently reported in the wild, and no patches have been published at the time of analysis. The vulnerability is classified under CWE-352, which is a common web application security weakness related to CSRF attacks. Given the plugin’s integration with WordPress, a widely used content management system, this vulnerability could affect a broad range of websites using this plugin version, especially those with administrative users who might be targeted via social engineering or phishing campaigns to trigger the exploit.

Detailed information about CVE-2025-6059: CWE-352 Cross-Site Request Forgery (CSRF) in seraphinitesoft Seraphinite Accelerator affecting seraphinitesoft Seraphi

CVE-2025-6059: CWE-352 Cross-Site Request Forgery (CSRF) in seraphinitesoft Seraphinite Accelerator - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6059: CWE-352 Cross-Site Request Forgery (CSRF) in seraphinitesoft Seraphinite Accelerator

The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-5938 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress, specifically all versions up to and including 1.1.1. The vulnerability arises due to missing or incorrect nonce validation in the import_templates() function. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source and to prevent unauthorized actions. In this case, the lack of proper nonce validation allows an attacker to craft a malicious request that, if executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious webpage), triggers the import_templates() function without their explicit consent. This import action could potentially modify the site's templates or configurations, leading to unauthorized changes. The vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator, making it a UI-required attack vector. The CVSS 3.1 base score is 5.3 (medium severity), with the vector indicating Network attack vector (AV:N), Low attack complexity (AC:L), No privileges required (PR:N), No user interaction (UI:N) according to the vector string, but the description clarifies that user interaction is needed, suggesting a minor discrepancy. The impact is limited to integrity (I:L) with no confidentiality or availability impact. No known exploits have been reported in the wild as of the publication date (June 13, 2025). The plugin is used to provide marketing and agency templates within Elementor, a popular WordPress page builder, which is widely adopted in many websites including those of European organizations. This vulnerability could allow attackers to manipulate website content or templates, potentially leading to defacement, misinformation, or further exploitation if combined with other vulnerabilities or social engineering attacks targeting administrators.

Detailed information about CVE-2025-5938: CWE-352 Cross-Site Request Forgery (CSRF) in themebon Digital Marketing and Agency Templates Addons for Elementor affe

CVE-2025-5938: CWE-352 Cross-Site Request Forgery (CSRF) in themebon Digital Marketing and Agency Templates Addons for Elementor - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5938: CWE-352 Cross-Site Request Forgery (CSRF) in themebon Digital Marketing and Agency Templates Addons for Elementor

The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-5930 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP2HTML plugin for WordPress, developed by digitalacornjp. This vulnerability exists in all versions up to and including 1.0.2 due to missing or incorrect nonce validation in the plugin's save() function. Nonces in WordPress are security tokens used to verify that requests to perform sensitive actions originate from legitimate users and not from forged requests. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious page), can alter the plugin's settings without the administrator's consent or knowledge. The vulnerability does not require the attacker to be authenticated, but it does require user interaction from an administrator. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction. The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits are currently reported in the wild, and no official patches or updates have been published at the time of this report. The vulnerability is classified under CWE-352, which covers CSRF weaknesses that allow unauthorized commands to be transmitted from a user that the web application trusts.

Detailed information about CVE-2025-5930: CWE-352 Cross-Site Request Forgery (CSRF) in digitalacornjp WP2HTML affecting digitalacornjp WP2HTML. Get real-time up

CVE-2025-5930: CWE-352 Cross-Site Request Forgery (CSRF) in digitalacornjp WP2HTML - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5930: CWE-352 Cross-Site Request Forgery (CSRF) in digitalacornjp WP2HTML

The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-5928 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Sliding Login/Dashboard Panel plugin for WordPress, developed by fay-1. This vulnerability exists in all versions up to and including 2.1.1 due to missing or incorrect nonce validation in the wp_sliding_panel_user_options() function. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from unauthorized third parties. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that can be executed by tricking an authenticated site administrator into clicking a specially crafted link or visiting a malicious webpage. Once the administrator performs the action, the attacker can update plugin settings without authentication. Although the vulnerability does not allow direct compromise of user credentials or site content, it can lead to unauthorized changes in plugin configuration, potentially weakening site security or enabling further attacks. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (the administrator must be tricked). The impact is limited to integrity (unauthorized modification of plugin settings) with no direct impact on confidentiality or availability. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability is classified under CWE-352, a common web application weakness related to CSRF attacks.

Detailed information about CVE-2025-5928: CWE-352 Cross-Site Request Forgery (CSRF) in fay-1 WP Sliding Login/Dashboard Panel affecting fay-1 WP Sliding Login/D

CVE-2025-5928: CWE-352 Cross-Site Request Forgery (CSRF) in fay-1 WP Sliding Login/Dashboard Panel - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5928: CWE-352 Cross-Site Request Forgery (CSRF) in fay-1 WP Sliding Login/Dashboard Panel

The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_menu_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-5926 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Link Shield plugin for WordPress, developed by jconti. This vulnerability exists in all versions up to and including 0.5.4 due to missing or incorrect nonce validation in the link_shield_menu_options() function. Nonces in WordPress are security tokens used to verify that a request comes from a legitimate source, preventing unauthorized actions. The absence or improper implementation of nonce validation allows an attacker to craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), can update plugin settings or inject malicious scripts. This attack does not require the attacker to be authenticated but relies on social engineering to trick an administrator into performing the action. The vulnerability impacts confidentiality and integrity by enabling unauthorized modification of plugin settings and potential script injection, but it does not affect availability. The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity. No known exploits are currently reported in the wild, and no patches have been published at the time of analysis. Given the plugin’s integration with WordPress, a widely used CMS, the vulnerability could be leveraged to compromise site configurations or facilitate further attacks such as persistent cross-site scripting (XSS).

Detailed information about CVE-2025-5926: CWE-352 Cross-Site Request Forgery (CSRF) in jconti Link Shield affecting jconti Link Shield. Get real-time updates, t

Title	Severity	Type	Source	Date

Threats Tagged 'cwe-352'

Filter Threats

Threats Tagged 'cwe-352'