Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0952 | 1 Sitemap Project | 1 Sitemap | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
|
|||||
| CVE-2022-0916 | 1 Logitech | 1 Options | 2024-11-21 | 6.8 MEDIUM | 8.4 HIGH |
|
An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
|
|||||
| CVE-2022-0914 | 1 Atlasgondal | 1 Export All Urls | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example
|
|||||
| CVE-2022-0875 | 1 Miniorange | 1 Google Authenticator | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
|
|||||
| CVE-2022-0833 | 1 Church Admin Project | 1 Church Admin | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
|
|||||
| CVE-2022-0830 | 1 Formbuilder Project | 1 Formbuilder | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
|
|||||
| CVE-2022-0770 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page
|
|||||
| CVE-2022-0681 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
|
|||||
| CVE-2022-0642 | 1 Jivochat | 1 Jivochat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
|
|||||
| CVE-2022-0638 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
|
|||||
| CVE-2022-0634 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.
|
|||||
| CVE-2022-0616 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack
|
|||||
| CVE-2022-0515 | 1 Craterapp | 1 Crater | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4.
|
|||||
| CVE-2022-0505 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
|
|||||
| CVE-2022-0499 | 1 Sermon Browser Project | 1 Sermon Browser | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.
|
|||||
| CVE-2022-0445 | 1 Devowl | 1 Wordpress Real Cookie Banner | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack
|
|||||
| CVE-2022-0444 | 1 Watchful | 1 Xcloner | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
|
|||||
| CVE-2022-0439 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
|
|||||
| CVE-2022-0427 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
|
Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover
|
|||||
| CVE-2022-0398 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
|
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website
|
|||||
| CVE-2022-0345 | 1 Madewithfuel | 1 Customize Wordpress Emails And Alerts | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
|
|||||
| CVE-2022-0335 | 1 Moodle | 1 Moodle | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
|
|||||
| CVE-2022-0328 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
|
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
|
|||||
| CVE-2022-0313 | 1 Wow-estore | 1 Float Menu | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
|
|||||
| CVE-2022-0269 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.
|
|||||
| CVE-2022-0245 | 1 Livehelperchat | 1 Livehelperchat | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.
|
|||||
| CVE-2022-0238 | 2 Fedoraproject, Phoronix-media | 2 Fedora, Phoronix Test Suite | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2022-0231 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2022-0229 | 1 Miniorange | 1 Google Authenticator | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
|
|||||
| CVE-2022-0226 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2022-0215 | 1 Xootix | 3 Login\/signup Popup, Side Cart Woocommerce, Waitlist Woocommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions ...
Show More |
|||||
| CVE-2022-0199 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
|
|||||
| CVE-2022-0197 | 2 Fedoraproject, Phoronix-media | 2 Fedora, Phoronix Test Suite | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2022-0196 | 2 Fedoraproject, Phoronix-media | 2 Fedora, Phoronix Test Suite | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
|
|||||
| CVE-2022-0191 | 1 Acnam | 1 Ad Invalid Click Protector | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
|
|||||
| CVE-2022-0180 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Master versions prior to 7.3.7 allows a remote attacker to hijack the authentication of administrators and conduct arbitrary operations via a specially crafted web page.
|
|||||
| CVE-2022-0164 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
|
|||||
| CVE-2022-0154 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
|
An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account.
|
|||||
| CVE-2022-0141 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
|
|||||
| CVE-2022-0134 | 1 Bologer | 1 Anycomment | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack
|
|||||