Total
8268 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67646 | 2025-12-12 | N/A | 3.5 LOW | ||
| TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the extension enabled, would trigger unintended authenticated actions through the victim's browser. Due to the lack of token validation, an attacker can delete or track progress against tables. This issue is patched in version 1.2.1 of the extension. | |||||
| CVE-2020-36900 | 2025-12-12 | N/A | N/A | ||
| All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft a malicious web page that automatically submits forms to create a new user with global administrative privileges when a logged-in user visits the page. | |||||
| CVE-2025-14165 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14161 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14062 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14158 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14391 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13366 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks. | |||||
| CVE-2025-14159 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated. | |||||
| CVE-2025-13987 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14160 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-58576 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may be performed. | |||||
| CVE-2025-13363 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13408 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14354 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12407 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14162 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-14117 | 1 Fit2cloud | 1 Halo | 2025-12-12 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-67472 | 1 Vcita | 1 Online Booking \& Scheduling Calendar | 2025-12-12 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5. | |||||
| CVE-2024-43192 | 1 Ibm | 4 Diamondback Tape Library, Diamondback Tape Library Firmware, Storage Ts4500 Library and 1 more | 2025-12-11 | N/A | 6.5 MEDIUM |
| IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||