Sandeep

**Name of the Vulnerable Software and Affected Versions** Coil Web Monetization plugin for WordPress versions prior to 2.0.3 **Description** The software is susceptible to a Cross-Site Request Forgery (CSRF) issue. This is caused by inadequate nonce validation when handling the `coil-get-css-selector` parameter within the `maybe restrict content` function. An unauthenticated attacker could potentially trigger CSS selector detection functionality by forging a request, provided they can trick a site administrator into performing an action. **Recommendations** Update the Coil Web Monetization plugin to version 2.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** WidgetPack Comment System versions prior to 1.6.2 **Description** The software is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the `wpcmt sync` action within the `wpcmt request handler` function. This allows unauthenticated attackers to trigger comment synchronization events through a forged request if they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update WidgetPack Comment System to version 1.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Page Blocks plugin for WordPress versions prior to 1.1.1 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF). This is a result of inadequate or missing nonce validation within the `admin process widget page change` function. An unauthenticated attacker could potentially modify widget page block configurations by deceiving a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update to Page Blocks plugin for WordPress version 1.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** HidePost plugin for WordPress versions prior to 2.3.9 **Description** The software is susceptible to Cross-Site Request Forgery (CSRF) due to missing or incorrect nonce validation on the options.php settings page. This allows unauthenticated attackers to modify plugin settings by tricking a site administrator into performing an action, such as clicking a malicious link. **Recommendations** Update the HidePost plugin to version 2.3.9 or later.

**Name of the Vulnerable Software and Affected Versions** USS Upyun plugin for WordPress versions prior to 1.5.1 **Description** The USS Upyun plugin for WordPress is susceptible to a Cross-Site Request Forgery issue. This is due to missing or incorrect nonce validation within the `uss setting page` function when handling the `uss set` form type. Successful exploitation allows unauthenticated attackers to modify critical Upyun cloud storage settings, including the bucket name, operator credentials, upload paths, and image processing parameters, by forging requests and tricking a site administrator into performing an action. **Recommendations** Update the USS Upyun plugin to version 1.5.1 or later.

The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish save option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. This is due to missing or incorrect nonce validation on the check integration() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enable eng function. This makes it possible for unauthenticated attackers to modify administrator language settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl plugin options function. This makes it possible for unauthenticated attackers to modify plugin settings including distance units, pace display preferences, style themes, and display positions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Name of the Vulnerable Software and Affected Versions** Related Posts Lite plugin for WordPress versions prior to 1.13 **Description** The Related Posts Lite plugin for WordPress is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation on the settings update functionality. This allows unauthenticated attackers to modify plugin settings via a forged request if they can trick a site administrator into performing an action, such as clicking a link. **Recommendations** Update the Related Posts Lite plugin to version 1.13 or later.