Total
8644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0335 | 1 Wpvar | 1 Wp Shamsi | 2025-02-19 | N/A | 6.5 MEDIUM |
| The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. | |||||
| CVE-2023-0336 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2025-02-19 | N/A | 6.5 MEDIUM |
| The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. | |||||
| CVE-2023-1089 | 1 Hasthemes | 1 Coupon Zen | 2025-02-19 | N/A | 4.3 MEDIUM |
| The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack | |||||
| CVE-2022-42447 | 1 Hcltech | 1 Hcl Compass | 2025-02-19 | N/A | 9.6 CRITICAL |
| HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious request. | |||||
| CVE-2024-13336 | 2025-02-19 | N/A | 4.3 MEDIUM | ||
| The Disable Auto Updates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'disable-auto-updates' page. This makes it possible for unauthenticated attackers to disable all auto updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-0865 | 2025-02-19 | N/A | 6.5 MEDIUM | ||
| The WP Media Category Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.0 to 2.3.3. This is due to missing or incorrect nonce validation on the wp_mcm_handle_action_settings() function. This makes it possible for unauthenticated attackers to alter plugin settings, such as the taxonomy used for media, the base slug for media categories, and the default media category via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13405 | 2025-02-19 | N/A | 4.3 MEDIUM | ||
| The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation on the 'awp_ip_deny' page. This makes it possible for unauthenticated attackers to block IP addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-9661 | 2025-02-18 | N/A | 4.3 MEDIUM | ||
| The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-24875 | 2025-02-18 | N/A | 6.8 MEDIUM | ||
| SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues. | |||||
| CVE-2025-1358 | 2025-02-18 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Pix Software Vivaz 6.0.10. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2020-19278 | 1 Mm-wiki Project | 1 Mm-wiki | 2025-02-14 | N/A | 8.8 HIGH |
| Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter. | |||||
| CVE-2023-1330 | 1 Inisev | 1 Redirection | 2025-02-14 | N/A | 6.5 MEDIUM |
| The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. | |||||
| CVE-2023-0820 | 1 Bestwebsoft | 1 User Role | 2025-02-14 | N/A | 8.8 HIGH |
| The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. | |||||
| CVE-2021-43353 | 1 Crisp | 1 Crisp | 2025-02-14 | 6.8 MEDIUM | 8.8 HIGH |
| The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31. | |||||
| CVE-2024-27948 | 1 Bytesforall | 1 Atahualpa | 2025-02-14 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in bytesforall Atahualpa.This issue affects Atahualpa: from n/a through 3.7.24. | |||||
| CVE-2023-0480 | 1 Vitalpbx | 1 Vitalpbx | 2025-02-13 | N/A | 8.8 HIGH |
| VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. | |||||
| CVE-2024-2326 | 1 Caseproof | 1 Prettylinks | 2025-02-13 | N/A | 4.3 MEDIUM |
| The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-27968 | 1 Optimole | 1 Super Page Cache | 2025-02-12 | N/A | 7.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5. | |||||
| CVE-2024-49795 | 1 Ibm | 1 Applinx | 2025-02-12 | N/A | 4.3 MEDIUM |
| IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2024-49794 | 1 Ibm | 1 Applinx | 2025-02-12 | N/A | 4.3 MEDIUM |
| IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||