Total
7785 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9778 | 1 Getbutterfly | 1 Imagepress | 2024-11-25 | N/A | 4.3 MEDIUM |
| The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-51669 | 1 Vivwebsolutions | 1 Dynamic Widgets | 2024-11-25 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Vivwebs Dynamic Widgets.This issue affects Dynamic Widgets: from n/a through 1.6.4. | |||||
| CVE-2024-52392 | 1 W3speedster | 1 W3speedster | 2024-11-25 | N/A | 6.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in W3speedster W3SPEEDSTER.This issue affects W3SPEEDSTER: from n/a through 7.25. | |||||
| CVE-2024-11415 | 2024-11-23 | N/A | 8.8 HIGH | ||
| The WP-Orphanage Extended plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the wporphanageex_menu_settings() function. This makes it possible for unauthenticated attackers to escalate the privileges of all orphan accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-28731 | 1 Dlink | 2 Dwr-2000m, Dwr-2000m Firmware | 2024-11-22 | N/A | 4.3 MEDIUM |
| Cross Site Request Forgery vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the Port forwarding option. | |||||
| CVE-2024-52446 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM allows Object Injection.This issue affects Buying Buddy IDX CRM: from n/a through 1.1.12. | |||||
| CVE-2024-11416 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-10726 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-52451 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Aaron Robbins Post Ideas allows SQL Injection.This issue affects Post Ideas: from n/a through 2. | |||||
| CVE-2024-7226 | 1 Oretnom23 | 1 Medicine Tracker System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-7169 | 1 Oretnom23 | 1 School Fees Payment System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583. | |||||
| CVE-2024-7161 | 1 Seacms | 1 Seacms | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575. | |||||
| CVE-2024-7106 | 1 Denkgroot | 1 Spina | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-7065 | 1 Denkgroot | 1 Spina | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272346 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-6751 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 6.3 MEDIUM |
| The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. | |||||
| CVE-2024-6649 | 1 Oretnom23 | 1 Employee And Visitor Gate Pass Logging System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is the function save_users of the file Users.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271057 was assigned to this vulnerability. | |||||
| CVE-2024-6405 | 1 Varniinfotech | 1 Floating Social Buttons | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-6271 | 1 Community Events Project | 1 Community Events | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack | |||||
| CVE-2024-6075 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-11-21 | N/A | 8.8 HIGH |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-6023 | 1 Adamsolymosi | 1 Contentlock | 2024-11-21 | N/A | 8.8 HIGH |
| The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||