Swat

**Name of the Vulnerable Software and Affected Versions** Laiser Tag versions prior to 1.2.6 **Description** The Laiser Tag plugin for WordPress is subject to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into executing unwanted actions. This occurs due to missing or incorrect nonce validation in the `addOptionsPageFields()` function. Unauthenticated attackers can exploit this by tricking a site administrator into clicking a malicious link, allowing the attacker to update plugin settings such as the API key, tag blacklist, relevance threshold, batch size, and tagging toggles. **Recommendations** Update the plugin to a version later than 1.2.5. As a temporary workaround, restrict access to the plugin settings page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Plus One Bottom versions prior to 0.0.3 **Description** The Google Plus One Bottom plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into executing unwanted actions. This occurs due to missing or incorrect nonce validation within the `googlePlusOneAdmin()` function. Unauthenticated attackers can modify plugin settings stored in the database, specifically the `plusone-lang`, `plusone-callback`, and `plusone-url` variables, by inducing a site administrator to click a malicious link. **Recommendations** Update the plugin to a version later than 0.0.2. As a temporary workaround, restrict access to the `googlePlusOneAdmin()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Remove NoFollow Commenter URL versions prior to 1.1 **Description** The plugin is subject to Cross-Site Request Forgery due to missing or incorrect nonce validation in the `gmz comment settings save()` function. This allows unauthenticated attackers to modify the comment-display setting by tricking a site administrator into clicking a malicious link. **Recommendations** Update to a version later than 1.0. As a temporary workaround, restrict access to the plugin settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EmergencyWP – Dead Man's switch & legacy deliverance versions prior to 1.4.3 **Description** The plugin is susceptible to Cross-Site Request Forgery due to missing or incorrect nonce validation in the `form settings ui()` function. This allows unauthenticated attackers to modify plugin settings by tricking a site administrator into clicking a malicious link. Affected settings include the minimum access role, the data-erasure-on-uninstall flag, life-check timing values, the mandatory email address, the confirmation page ID, and date/time formats. Nonce validation is a security mechanism used to ensure that a request was intentionally sent by the user and not forged by a third party. **Recommendations** Update to a version later than 1.4.2. As a temporary workaround, restrict access to the `form settings ui()` function to minimize the risk of exploitation.