Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25600 | 2 Fedoraproject, Weplugins | 2 Fedora, Wp Maps | 2025-05-07 | 6.8 MEDIUM | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3).
|
|||||
| CVE-2015-9309 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 6.8 MEDIUM | 8.8 HIGH |
|
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.
|
|||||
| CVE-2015-9307 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 6.8 MEDIUM | 8.8 HIGH |
|
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.
|
|||||
| CVE-2015-9308 | 1 Weplugins | 1 Wp Maps | 2025-05-07 | 6.8 MEDIUM | 8.8 HIGH |
|
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.
|
|||||
| CVE-2023-6499 | 1 Calenfretts | 1 Lastunes | 2025-05-06 | N/A | 5.4 MEDIUM |
|
The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2025-05-06 | N/A | 6.5 MEDIUM |
|
The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator
|
|||||
| CVE-2022-40291 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 8.8 HIGH |
|
The application was vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to coerce users into sending malicious requests to the site to delete their account, or in rare circumstances, hijack their account and create other admin accounts.
|
|||||
| CVE-2024-13118 | 1 Brijeshk89 | 1 Ip Based Login | 2025-05-06 | N/A | 4.3 MEDIUM |
|
The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack
|
|||||
| CVE-2022-40488 | 1 Processwire | 1 Processwire | 2025-05-06 | N/A | 6.5 MEDIUM |
|
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
|
|||||
| CVE-2024-24843 | 1 Powerpackelements | 1 Powerpack Addons For Elementor | 2025-05-06 | N/A | 7.1 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.
|
|||||
| CVE-2024-24849 | 1 Developingtheweb | 1 Quicksand Post Filter Jquery | 2025-05-06 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Mark Stockton Quicksand Post Filter jQuery Plugin.This issue affects Quicksand Post Filter jQuery Plugin: from n/a through 3.1.1.
|
|||||
| CVE-2024-24876 | 1 W-shadow | 1 Admin Menu Editor | 2025-05-06 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.This issue affects Admin Menu Editor: from n/a through 1.12.
|
|||||
| CVE-2024-25904 | 1 Blackbam | 1 Tinymce And Tinymce Advanced Professsional Formats And Styles | 2025-05-06 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in David Stockl TinyMCE and TinyMCE Advanced Professsional Formats and Styles.This issue affects TinyMCE and TinyMCE Advanced Professsional Formats and Styles: from n/a through 1.1.2.
|
|||||
| CVE-2024-24798 | 1 Soninow | 1 Debug | 2025-05-06 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in SoniNow Team Debug.This issue affects Debug: from n/a through 1.10.
|
|||||
| CVE-2024-24802 | 1 Jtrt Responsive Tables Project | 1 Jtrt Responsive Tables | 2025-05-06 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in John Tendik JTRT Responsive Tables.This issue affects JTRT Responsive Tables: from n/a through 4.1.9.
|
|||||
| CVE-2024-5076 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-06 | N/A | 8.8 HIGH |
|
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2024-5077 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-06 | N/A | 6.8 MEDIUM |
|
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2024-12414 | 1 Themify | 1 Store Locator | 2025-05-06 | N/A | 4.3 MEDIUM |
|
The Themify Store Locator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the setting_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-13826 | 1 Intricateweb | 1 Email Keep | 2025-05-06 | N/A | 5.4 MEDIUM |
|
The Email Keep WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2025-1305 | 1 Spicethemes | 1 Newsblogger | 2025-05-06 | N/A | 8.8 HIGH |
|
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-42764 | 1 Kjayvik | 1 Bus Ticket Reservation System | 2025-05-06 | N/A | 9.4 CRITICAL |
|
Kashipara Bus Ticket Reservation System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via /deleteTicket.php.
|
|||||
| CVE-2022-2387 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-05-05 | N/A | 4.3 MEDIUM |
|
The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack
|
|||||
| CVE-2025-4188 | 2025-05-05 | N/A | 6.1 MEDIUM | ||
|
The Advanced Reorder Image Text Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'reorder-simple-image-text-slider-setting' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-4199 | 2025-05-05 | N/A | 6.1 MEDIUM | ||
|
The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the 'abundatrade' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-4198 | 2025-05-05 | N/A | 6.1 MEDIUM | ||
|
The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2021-28656 | 1 Apache | 1 Zeppelin | 2025-05-05 | N/A | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Credential page of Apache Zeppelin allows an attacker to submit malicious request. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
|
|||||
| CVE-2024-0779 | 1 Mediabetaprojects | 1 Enjoy Social Feed | 2025-05-05 | N/A | 8.8 HIGH |
|
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example
|
|||||
| CVE-2024-0858 | 1 Theinnovs | 1 Innovs Hr | 2025-05-05 | N/A | 8.8 HIGH |
|
The Innovs HR WordPress plugin through 1.0.3.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees.
|
|||||
| CVE-2024-0856 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-05-05 | N/A | 8.8 HIGH |
|
The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.
|
|||||
| CVE-2018-11493 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add.
|
|||||
| CVE-2018-10312 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
|
|||||
| CVE-2018-18711 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's password via index.php?m=core&f=panel&v=edit_info.
|
|||||
| CVE-2018-10248 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 5.8 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.
|
|||||
| CVE-2018-18712 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1.
|
|||||
| CVE-2022-2542 | 1 Summitmediaconcepts | 1 Ucontext For Clickbank | 2025-05-05 | N/A | 8.8 HIGH |
|
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action ...
Show More |
|||||
| CVE-2022-2541 | 1 Summitmediaconcepts | 1 Ucontext For Amazon | 2025-05-05 | N/A | 8.8 HIGH |
|
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action su ...
Show More |
|||||
| CVE-2022-2518 | 1 Berocket | 1 Stockists Manager For Woocommerce | 2025-05-05 | N/A | 8.8 HIGH |
|
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-2435 | 1 Anymind | 1 Anymind Widget | 2025-05-05 | N/A | 8.8 HIGH |
|
The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-2233 | 1 Banner Cycler Project | 1 Banner Cycler | 2025-05-05 | N/A | 8.8 HIGH |
|
The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link
|
|||||
| CVE-2022-2223 | 1 Ghozylab | 1 Image Slider | 2025-05-05 | N/A | 5.4 MEDIUM |
|
The WordPress plugin Image Slider is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1.121 due to failure to properly check for the existence of a nonce in the function ewic_duplicate_slider. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||