Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2001 | 1 Devrix | 1 Dx Share Selection | 2025-05-05 | N/A | 8.8 HIGH |
|
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-1969 | 1 Script | 1 Mobile Browser Color Select | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-1912 | 1 Smartsoft | 1 Button Widget Smartsoft | 2025-05-05 | N/A | 8.8 HIGH |
|
The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-1900 | 1 Copify | 1 Copify | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2022-1749 | 1 Wpmk Ajax Finder Project | 1 Wpmk Ajax Finder | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
|
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
|
|||||
| CVE-2024-3940 | 1 Bozdoz | 1 Recaptcha Jetpack | 2025-05-05 | N/A | 8.8 HIGH |
|
The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2024-3941 | 1 Bozdoz | 1 Recaptcha Jetpack | 2025-05-05 | N/A | 4.7 MEDIUM |
|
The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
|
|||||
| CVE-2022-42751 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 8.8 HIGH |
|
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.
|
|||||
| CVE-2022-30608 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 8.8 HIGH |
|
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a "user that the website trusts. IBM X-Force ID: 227295.
|
|||||
| CVE-2022-41413 | 1 Perfsonar | 1 Perfsonar | 2025-05-02 | N/A | 4.3 MEDIUM |
|
perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function.
|
|||||
| CVE-2024-5033 | 1 Toolstack | 1 Sully | 2025-05-02 | N/A | 5.9 MEDIUM |
|
The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2024-5034 | 1 Toolstack | 1 Sully | 2025-05-02 | N/A | 8.8 HIGH |
|
The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
|
|||||
| CVE-2006-5175 | 1 Buffalo-technology | 1 Terastation Hd-htgl Firmware | 2025-05-02 | 7.6 HIGH | N/A |
|
Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors.
|
|||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | N/A | 4.3 MEDIUM |
|
The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options
|
|||||
| CVE-2022-3537 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2025-05-01 | N/A | 8.8 HIGH |
|
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP
|
|||||
| CVE-2022-3536 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2025-05-01 | N/A | 8.8 HIGH |
|
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog
|
|||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | N/A | 5.3 MEDIUM |
|
The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request
|
|||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2025-05-01 | N/A | 8.8 HIGH |
|
DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords.
|
|||||
| CVE-2023-7202 | 1 Verygoodplugins | 1 Fatal Error Notify | 2025-05-01 | N/A | 6.1 MEDIUM |
|
The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF
|
|||||
| CVE-2024-42586 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) in the component categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
|
|||||
| CVE-2024-42585 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) in the component delete_media.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
|
|||||
| CVE-2024-42578 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.0 HIGH |
|
A Cross-Site Request Forgery (CSRF) in the component edit_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
|
|||||
| CVE-2024-42576 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) in the component edit_categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
|
|||||
| CVE-2022-45130 | 1 Plesk | 1 Obsidian | 2025-05-01 | N/A | 6.5 MEDIUM |
|
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.
|
|||||
| CVE-2024-4529 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 5.0 MEDIUM |
|
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks
|
|||||
| CVE-2024-4530 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 6.3 MEDIUM |
|
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks
|
|||||
| CVE-2024-4531 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 7.1 HIGH |
|
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks
|
|||||
| CVE-2024-4532 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 6.4 MEDIUM |
|
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks
|
|||||
| CVE-2025-24358 | 2025-05-01 | N/A | N/A | ||
|
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not r ...
Show More |
|||||
| CVE-2021-25931 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 6.8 MEDIUM | 8.8 HIGH |
|
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privi ...
Show More |
|||||
| CVE-2021-25930 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 4.3 MEDIUM | 4.3 MEDIUM |
|
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the ...
Show More |
|||||
| CVE-2022-3632 | 1 Digitialpixies | 1 Oauth Client | 2025-04-30 | N/A | 6.5 MEDIUM |
|
The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions.
|
|||||
| CVE-2022-35613 | 1 Konker | 1 Konker Platform | 2025-04-30 | N/A | 8.8 HIGH |
|
Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF).
|
|||||
| CVE-2022-2449 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | N/A | 6.5 MEDIUM |
|
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site.
|
|||||
| CVE-2022-44389 | 1 Eyoucms | 1 Eyoucms | 2025-04-30 | N/A | 6.5 MEDIUM |
|
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information.
|
|||||
| CVE-2022-44387 | 1 Eyoucms | 1 Eyoucms | 2025-04-30 | N/A | 8.8 HIGH |
|
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module.
|
|||||
| CVE-2024-13146 | 1 Fs-code | 1 Booknetic | 2025-04-30 | N/A | 8.8 HIGH |
|
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack
|
|||||
| CVE-2022-45393 | 1 Jenkins | 1 Delete Log | 2025-04-30 | N/A | 3.5 LOW |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs.
|
|||||
| CVE-2024-42768 | 1 Jayesh | 1 Hotel Management System | 2025-04-30 | N/A | 6.8 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) vulnerability was found in Kashipara Hotel Management System v1.0 via /admin/delete_room.php.
|
|||||
| CVE-2024-45527 | 1 Vanderbilt | 1 Redcap | 2025-04-30 | N/A | 6.1 MEDIUM |
|
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.
|
|||||