Total
8644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13555 | 1 1clickmigration | 1 1 Click Migration | 2025-02-24 | N/A | 5.3 MEDIUM |
| The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes it possible for unauthenticated attackers to cancel a triggered backup via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13522 | 1 Magayo | 1 Magayo Lottery Results | 2025-02-24 | N/A | 6.1 MEDIUM |
| The magayo Lottery Results plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.12. This is due to missing or incorrect nonce validation on the 'magayo-lottery-results' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-10581 | 1 Designinvento | 1 Directorypress | 2025-02-24 | N/A | 4.3 MEDIUM |
| The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfl_listingStatusChange() function. This makes it possible for unauthenticated attackers to update listing statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13684 | 1 Smartzminds | 1 Reset | 2025-02-21 | N/A | 8.1 HIGH |
| The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the reset_db_page() function. This makes it possible for unauthenticated attackers to reset several tables in the database like comments, themes, plugins, and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13852 | 1 Backie | 1 Option Editor | 2025-02-21 | N/A | 8.8 HIGH |
| The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2025-0796 | 1 Kevinbrent | 1 Wprequal | 2025-02-21 | N/A | 4.3 MEDIUM |
| The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.10. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13315 | 1 Shopwarden | 1 Shopwarden | 2025-02-21 | N/A | 8.8 HIGH |
| The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13438 | 1 Speedsize | 1 Speedsize Image \& Video Ai-optimizer | 2025-02-21 | N/A | 4.3 MEDIUM |
| The SpeedSize Image & Video AI-Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the 'speedsize_clear_css_cache_action' function. This makes it possible for unauthenticated attackers to clear the plugins cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13523 | 1 Shenyanzhi | 1 Memorialday | 2025-02-21 | N/A | 6.1 MEDIUM |
| The MemorialDay plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13795 | 1 Lightspeedhq | 1 Ecwid Ecommerce Shopping Cart | 2025-02-21 | N/A | 4.3 MEDIUM |
| The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13718 | 1 Wpdesk | 1 Flexible Wishlist For Woocommerce | 2025-02-21 | N/A | 4.3 MEDIUM |
| The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-2960 | 1 Svs-websoft | 1 Svs Pricing Tables | 2025-02-20 | N/A | 4.3 MEDIUM |
| The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the deletePricingTable() function. This makes it possible for unauthenticated attackers to delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-2959 | 1 Svs-websoft | 1 Svs Pricing Tables | 2025-02-20 | N/A | 4.3 MEDIUM |
| The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function. This makes it possible for unauthenticated attackers to create and edit pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-7141 | 2025-02-20 | N/A | N/A | ||
| Versions of Gliffy Online prior to versions 4.14.0-7 contains a Cross Site Request Forgery (CSRF) flaw. | |||||
| CVE-2024-12386 | 1 Kevonadonis | 1 Wp Abstracts | 2025-02-20 | N/A | 8.1 HIGH |
| The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-10095 | 2025-02-20 | N/A | 8.1 HIGH | ||
| Various Lexmark devices have CSRF that allows an attacker to modify the configuration of the device. | |||||
| CVE-2023-5823 | 1 Themekraft | 1 Tk Google Fonts Gdpr Compliant | 2025-02-19 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions. | |||||
| CVE-2023-47238 | 1 Webberzone | 1 Top 10 | 2025-02-19 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WebberZone Top 10 – WordPress Popular posts by WebberZone plugin <= 3.3.2 versions. | |||||
| CVE-2022-29489 | 1 Sucuri | 1 Security | 2025-02-19 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Sucuri Security plugin <= 1.8.33 at WordPress leading to Event log entry creation. | |||||
| CVE-2023-0498 | 1 Hasthemes | 1 Wp Education | 2025-02-19 | N/A | 4.3 MEDIUM |
| The WP Education WordPress plugin before 1.2.7 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack | |||||