Total
7765 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1463 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
| The Spreadsheet Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to improper nonce validation within the class-wpgsi-show.php script. This makes it possible for unauthenticated attackers to publish arbitrary posts, including private, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-1435 | 2025-03-05 | N/A | 6.3 MEDIUM | ||
| The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer makes it possible to select a role during registration. | |||||
| CVE-2025-0990 | 2025-03-05 | N/A | 4.3 MEDIUM | ||
| The I Am Gloria plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the iamgloria23_gloria_settings_page function. This makes it possible for unauthenticated attackers to reset the tenant ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-56903 | 2025-03-04 | N/A | 8.1 HIGH | ||
| Geovision GV-ASWeb with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET against critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack. | |||||
| CVE-2024-56901 | 2025-03-04 | N/A | 8.8 HIGH | ||
| A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack. | |||||
| CVE-2025-23411 | 1 Myscada | 1 Mypro | 2025-03-04 | N/A | 6.3 MEDIUM |
| mySCADA myPRO Manager is vulnerable to cross-site request forgery (CSRF), which could allow an attacker to obtain sensitive information. An attacker would need to trick the victim in to visiting an attacker-controlled website. | |||||
| CVE-2025-27579 | 2025-03-04 | N/A | 5.4 MEDIUM | ||
| In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage settings. | |||||
| CVE-2025-27402 | 2025-03-04 | N/A | 4.6 MEDIUM | ||
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap is missing CSRF protections on tracker fields administrative operations. An attacker could use this vulnerability to trick victims into removing or updating tracker fields. This vulnerability is fixed in Tuleap Community Edition 16.4.99.1740414959 and Tuleap Enterprise Edition 16.4-6 and 16.3-11. | |||||
| CVE-2024-13682 | 2025-03-04 | N/A | 4.3 MEDIUM | ||
| The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-1306 | 2025-03-04 | N/A | 8.8 HIGH | ||
| The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-23502 | 2025-03-03 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in NotFound Curated Search allows Stored XSS. This issue affects Curated Search: from n/a through 1.2. | |||||
| CVE-2025-23446 | 2025-03-03 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in NotFound WP SpaceContent allows Stored XSS. This issue affects WP SpaceContent: from n/a through 0.4.5. | |||||
| CVE-2024-7492 | 1 Mainwp | 1 Mainwp Child | 2025-03-01 | N/A | 8.8 HIGH |
| The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances. | |||||
| CVE-2025-1441 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-02-28 | N/A | 6.1 MEDIUM |
| The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-1205 | 1 Netgear | 2 Rax30, Rax30 Firmware | 2025-02-28 | N/A | 8.8 HIGH |
| NETGEAR Nighthawk WiFi6 Router prior to V1.0.10.94 is vulnerable to cross-site request forgery attacks on all endpoints due to improperly implemented CSRF protections. | |||||
| CVE-2024-13494 | 1 Iptanus | 1 Wordpress File Upload | 2025-02-28 | N/A | 4.3 MEDIUM |
| The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-1687 | 2025-02-28 | N/A | 8.8 HIGH | ||
| The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-27234 | 1 Jizhicms | 1 Jizhicms | 2025-02-27 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2.4.5 allows attackers to arbitrarily make configuration changes within the application. | |||||
| CVE-2023-27073 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2025-02-27 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in Online Food Ordering System v1.0 allows attackers to change user details and credentials via a crafted POST request. | |||||
| CVE-2025-1745 | 2025-02-27 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||