Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2262 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-13 | N/A | 4.7 MEDIUM |
|
Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs
|
|||||
| CVE-2025-47546 | 1 Wpcompress | 1 Wp Compress | 2025-05-12 | N/A | 7.1 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress allows Cross Site Request Forgery. This issue affects WP Compress: from n/a through 6.30.30.
|
|||||
| CVE-2022-43340 | 1 Dzzoffice | 1 Dzzoffice | 2025-05-12 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users.
|
|||||
| CVE-2025-47624 | 1 Apasionados | 1 Dofollow Case By Case | 2025-05-12 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case allows Cross Site Request Forgery. This issue affects DoFollow Case by Case: from n/a through 3.5.1.
|
|||||
| CVE-2025-47633 | 1 Awin | 1 Awin - Advertiser Tracking For Woocommerce | 2025-05-12 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce allows Cross Site Request Forgery. This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through 2.0.0.
|
|||||
| CVE-2025-2168 | 1 Bdthemes | 1 Ultimate Store Kit | 2025-05-12 | N/A | 4.3 MEDIUM |
|
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site v ...
Show More |
|||||
| CVE-2025-3959 | 1 Withstars | 1 Books-management-system | 2025-05-12 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2025-3964 | 1 Withstars | 1 Books-management-system | 2025-05-12 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2025-3979 | 1 Lecms | 1 Lecms | 2025-05-12 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-password-ajax-1 of the component Password Change Handler. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-4375 | 2025-05-12 | N/A | N/A | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password.
This issue affects Pro Cloud Server: earlier than 6.0.165.
|
|||||
| CVE-2025-46743 | 2025-05-12 | N/A | 6.3 MEDIUM | ||
|
An authenticated user's token could be used by another source after the user had logged out prior to the token expiring.
|
|||||
| CVE-2021-24870 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-05-12 | N/A | 6.1 MEDIUM |
|
The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload
|
|||||
| CVE-2023-44993 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.7.8 versions.
|
|||||
| CVE-2023-5534 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 4.3 MEDIUM |
|
The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-13096 | 1 Mch0lic | 1 Wp Finance | 2025-05-12 | N/A | 4.6 MEDIUM |
|
The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
|
|||||
| CVE-2024-12709 | 1 Ombu | 1 Bulk Me Now\! | 2025-05-11 | N/A | 4.3 MEDIUM |
|
The Bulk Me Now! WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
|
|||||
| CVE-2025-4088 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | N/A | 6.5 MEDIUM |
|
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.
|
|||||
| CVE-2024-2858 | 1 Robbychen | 1 Simple Buttons Creator | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2024-2857 | 1 Robbychen | 1 Simple Buttons Creator | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
|
|||||
| CVE-2022-43408 | 1 Jenkins | 1 Pipeline\ | 2025-05-08 | N/A | 6.5 MEDIUM |
|
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
|
|||||
| CVE-2022-43407 | 1 Jenkins | 1 Pipeline\ | 2025-05-08 | N/A | 8.8 HIGH |
|
Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.
|
|||||
| CVE-2024-2739 | 1 Mndpsingh287 | 1 Advanced Search | 2025-05-08 | N/A | 8.7 HIGH |
|
The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2024-6136 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2022-43418 | 1 Jenkins | 1 Katalon | 2025-05-08 | N/A | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2024-3472 | 1 Wow-company | 1 Modal Window | 2025-05-08 | N/A | 5.9 MEDIUM |
|
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack
|
|||||
| CVE-2024-3471 | 1 Wow-company | 1 Button Generator | 2025-05-08 | N/A | 3.4 LOW |
|
The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack
|
|||||
| CVE-2024-2405 | 1 Wow-company | 1 Float Menu | 2025-05-08 | N/A | 4.5 MEDIUM |
|
The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.
|
|||||
| CVE-2024-12436 | 1 Marvinlabs | 1 Wp Customer Area | 2025-05-08 | N/A | 4.3 MEDIUM |
|
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2024-12280 | 1 Marvinlabs | 1 Wp Customer Area | 2025-05-08 | N/A | 4.3 MEDIUM |
|
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack
|
|||||
| CVE-2024-3481 | 1 Wow-company | 1 Counter Box | 2025-05-08 | N/A | 5.2 MEDIUM |
|
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
|
|||||
| CVE-2024-3478 | 1 Wow-company | 1 Herd Effects | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks
|
|||||
| CVE-2024-3477 | 1 Wow-company | 1 Popup Box | 2025-05-08 | N/A | 4.3 MEDIUM |
|
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks
|
|||||
| CVE-2024-3476 | 1 Wow-company | 1 Side Menu Lite | 2025-05-08 | N/A | 8.8 HIGH |
|
The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
|
|||||
| CVE-2024-3475 | 1 Wow-company | 1 Sticky Buttons | 2025-05-08 | N/A | 7.5 HIGH |
|
The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
|
|||||
| CVE-2022-42199 | 1 Simple Exam Reviewer Management System Project | 1 Simple Exam Reviewer Management System | 2025-05-08 | N/A | 8.8 HIGH |
|
Simple Exam Reviewer Management System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Exam List.
|
|||||
| CVE-2025-47466 | 2025-05-08 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate WP Mail allows Cross Site Request Forgery. This issue affects Ultimate WP Mail: from n/a through 1.3.4.
|
|||||
| CVE-2025-47491 | 2025-05-08 | N/A | 7.4 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery. This issue affects Contact Form Widget: from n/a through 1.4.6.
|
|||||
| CVE-2025-47473 | 2025-05-08 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in pimwick PW WooCommerce Bulk Edit allows Cross Site Request Forgery. This issue affects PW WooCommerce Bulk Edit: from n/a through 2.134.
|
|||||
| CVE-2025-47446 | 2025-05-08 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in listamester Listamester allows Cross Site Request Forgery. This issue affects Listamester: from n/a through 2.3.6.
|
|||||
| CVE-2025-47448 | 2025-05-08 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through 2.1.9.
|
|||||