Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31413 | 2026-01-26 | N/A | 8.8 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery.This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13.
|
|||||
| CVE-2025-36411 | 1 Ibm | 1 Applinx | 2026-01-26 | N/A | 3.5 LOW |
|
IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
|
|||||
| CVE-2021-47754 | 1 Arunna | 1 Arunna | 2026-01-26 | N/A | 6.5 MEDIUM |
|
Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form.
|
|||||
| CVE-2019-25252 | 1 Teradek | 6 Vidiu, Vidiu Firmware, Vidiu Mini and 3 more | 2026-01-26 | N/A | 4.3 MEDIUM |
|
Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page.
|
|||||
| CVE-2018-25156 | 1 Teradek | 2 Cube, Cube Firmware | 2026-01-26 | N/A | 4.3 MEDIUM |
|
Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device's system configuration interface.
|
|||||
| CVE-2018-25155 | 1 Teradek | 2 Slice, Slice Firmware | 2026-01-26 | N/A | 4.3 MEDIUM |
|
Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits password change requests to the device when a logged-in user visits the page.
|
|||||
| CVE-2018-25149 | 1 Microhardcorp | 22 Bullet-3g, Bullet-3g Firmware, Bullet-lte and 19 more | 2026-01-26 | N/A | 6.5 MEDIUM |
|
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page.
|
|||||
| CVE-2022-47424 | 1 Reputeinfosystems | 1 Armember | 2026-01-26 | N/A | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Repute InfoSystems ARMember, Repute InfoSystems ARMember Premium allows Cross-Site Request Forgery.This issue affects ARMember: from n/a through 4.0.5; ARMember Premium: from n/a before 6.7.1.
|
|||||
| CVE-2025-39472 | 1 Wpwebelite | 1 Woocommerce Social Login | 2026-01-26 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in WPWeb WooCommerce Social Login allows Cross Site Request Forgery.This issue affects WooCommerce Social Login: from n/a before 2.8.3.
|
|||||
| CVE-2021-47820 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
|
Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent.
|
|||||
| CVE-2026-1051 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
|
|||||
| CVE-2021-47830 | 2026-01-26 | N/A | N/A | ||
|
GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.
|
|||||
| CVE-2021-47860 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
|
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
|
|||||
| CVE-2026-24384 | 2026-01-26 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through <= 2.14.
|
|||||
| CVE-2026-24365 | 2026-01-26 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.
|
|||||
| CVE-2026-24374 | 2026-01-26 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery.This issue affects RegistrationMagic: from n/a through <= 6.0.6.9.
|
|||||
| CVE-2026-22359 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0.
|
|||||
| CVE-2026-24596 | 2026-01-26 | N/A | 4.7 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery.This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1.
|
|||||
| CVE-2026-1070 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-13139 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-14630 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-14906 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1081 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1208 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1088 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-14907 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-13194 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-13205 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking o ...
Show More |
|||||
| CVE-2026-1075 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-14903 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2026-1076 | 2026-01-26 | N/A | 4.3 MEDIUM | ||
|
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2024-33680 | 1 Mainwp | 1 Mainwp Child Reports | 2026-01-23 | N/A | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.This issue affects MainWP Child Reports: from n/a through 2.1.1.
|
|||||
| CVE-2024-31272 | 1 Reputeinfosystems | 1 Arforms Form Builder | 2026-01-23 | N/A | 6.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1.
|
|||||
| CVE-2024-9450 | 1 Syntacticsinc | 1 Easync | 2026-01-23 | N/A | 6.5 MEDIUM |
|
The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack
|
|||||
| CVE-2021-24767 | 1 Wpvibes | 1 Redirect 404 Error Page To Homepage Or Custom Page With Logs | 2026-01-23 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack
|
|||||
| CVE-2024-8047 | 1 Freakingwildchild | 1 Visual Sound | 2026-01-23 | N/A | 6.5 MEDIUM |
|
The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2024-7859 | 1 Freakingwildchild | 1 Visual Sound | 2026-01-23 | N/A | 6.5 MEDIUM |
|
The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2023-28749 | 1 Cminds | 1 Cm Search And Replace | 2026-01-23 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions.
|
|||||
| CVE-2025-58576 | 1 Groupsession | 1 Groupsession | 2026-01-23 | N/A | 4.3 MEDIUM |
|
Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may be performed.
|
|||||
| CVE-2025-39351 | 1 Themegoods | 1 Grand Restaurant | 2026-01-22 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Restaurant WordPress allows Cross Site Request Forgery.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
|
|||||