Vulnerabilities (CVE)

Filtered by CWE-352
Total 9184 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-34636 1 Wpdevart 1 Countdown And Countup\, Woocommerce Sales Timer 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.
CVE-2021-34634 1 Sola-newsletters Project 1 Sola-newsletters 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23.
CVE-2021-34633 1 Youtube Feeder Project 1 Youtube Feeder 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1.
CVE-2021-34632 1 Seo Backlinks Project 1 Seo Backlinks 2026-06-17 6.8 MEDIUM 8.8 HIGH
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.
CVE-2021-34631 1 Ipdgroup 1 Newsplugin 2026-06-17 6.8 MEDIUM 8.8 HIGH
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.
CVE-2021-34628 1 Weblizar 1 Admin Custom Login 2026-06-17 6.8 MEDIUM 8.8 HIGH
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.
CVE-2021-34620 1 Fluentforms 1 Contact Form 2026-06-17 6.8 MEDIUM 8.8 HIGH
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions
CVE-2021-34619 1 Storeapps 1 Stock Manager For Woocommerce 2026-06-17 6.8 MEDIUM 8.8 HIGH
The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file.
CVE-2021-34547 1 Paessler 1 Prtg Network Monitor 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation.
CVE-2021-34360 1 Qnap 4 Nas Proxy Server, Qts, Quts Hero and 1 more 2026-06-17 6.8 MEDIUM 5.3 MEDIUM
A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later
CVE-2021-34358 1 Qnap 2 Nas, Qmailagent 2026-06-17 6.8 MEDIUM 6.8 MEDIUM
We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later
CVE-2021-34244 1 Icehrm 1 Icehrm 2026-06-17 6.8 MEDIUM 8.8 HIGH
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVE-2021-34167 1 Taogogo 1 Taocms 2026-06-17 N/A 8.8 HIGH
Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php.
CVE-2021-34086 1 Ultimaker 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more 2026-06-17 6.8 MEDIUM 8.8 HIGH
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.
CVE-2021-33396 1 Baijiacms Project 1 Baijiacms 2026-06-17 N/A 6.5 MEDIUM
Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.
CVE-2021-33338 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-06-17 5.1 MEDIUM 7.5 HIGH
The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter.
CVE-2021-32991 1 Deltaww 1 Diaenergie 2026-06-17 4.3 MEDIUM 4.3 MEDIUM
Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally.
CVE-2021-32929 1 Uffizio 1 Gps Tracker 2026-06-17 6.8 MEDIUM 4.3 MEDIUM
All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.
CVE-2021-32776 1 Combodo 1 Itop 2026-06-17 6.8 MEDIUM 6.8 MEDIUM
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
CVE-2021-32774 1 Miraheze 1 Datadump 2026-06-17 5.8 MEDIUM 6.1 MEDIUM
DataDump is a MediaWiki extension that provides dumps of wikis. Prior to commit 67a82b76e186925330b89ace9c5fd893a300830b, DataDump had no protection against CSRF attacks so requests to generate or delete dumps could be forged. The vulnerability was patched in commit 67a82b76e186925330b89ace9c5fd893a300830b. There are no known workarounds. You must completely disable DataDump.