The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack
CWE-352
CVE-2021-24725
The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its ‘Delete comments easily’, which could allow attackers to make logged in admin delete arbitrary comments
CVE-2021-24730
The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
CVE-2021-24735
The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the “Disable Simultaneous Play” setting via a CSRF attack.
CVE-2021-24674
The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack
CVE-2021-24675
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack