Total
7778 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-33338 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 5.1 MEDIUM | 7.5 HIGH |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | |||||
| CVE-2024-5028 | 1 Cminds | 1 Cm Search And Replace | 2025-05-13 | N/A | 6.5 MEDIUM |
| The CM WordPress Search And Replace Plugin WordPress plugin before 1.3.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-5167 | 1 Cminds | 1 Cm E-mail Blacklist | 2025-05-13 | N/A | 8.1 HIGH |
| The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers to make a logged in admin add or delete settings from the blacklist or whitelist menu via a CSRF attack | |||||
| CVE-2024-26450 | 1 Piwigo | 1 Piwigo | 2025-05-13 | N/A | 5.4 MEDIUM |
| An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. | |||||
| CVE-2022-45847 | 1 Wpassist | 1 Countdown Widget | 2025-05-13 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1. | |||||
| CVE-2023-39311 | 1 Avada | 1 Fusion Builder | 2025-05-13 | N/A | 7.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1. | |||||
| CVE-2024-23510 | 1 Martynchamberlin | 1 Dont Muck My Markup | 2025-05-13 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Martyn Chamberlin Don't Muck My Markup.This issue affects Don't Muck My Markup: from n/a through 1.8. | |||||
| CVE-2024-26469 | 1 Prestalife | 1 Product Designer | 2025-05-13 | N/A | 8.1 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to cause a denial of service (DoS) and escalate privileges via the url parameter in the postProcess() method. | |||||
| CVE-2023-52555 | 1 Mongo-express Project | 1 Mongo-express | 2025-05-13 | N/A | 6.1 MEDIUM |
| In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection. | |||||
| CVE-2024-3965 | 1 Projectcaruso | 1 Pray For Me | 2025-05-13 | N/A | 5.4 MEDIUM |
| The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-3993 | 1 Wp-master | 1 Azan | 2025-05-13 | N/A | 4.6 MEDIUM |
| The AZAN Plugin WordPress plugin through 0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-4480 | 1 Goprayer | 1 Prayer | 2025-05-13 | N/A | 6.1 MEDIUM |
| The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-2262 | 1 Themify | 1 Woocommerce Product Filter | 2025-05-13 | N/A | 4.7 MEDIUM |
| Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs | |||||
| CVE-2025-47546 | 1 Wpcompress | 1 Wp Compress | 2025-05-12 | N/A | 7.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in AresIT WP Compress allows Cross Site Request Forgery. This issue affects WP Compress: from n/a through 6.30.30. | |||||
| CVE-2022-43340 | 1 Dzzoffice | 1 Dzzoffice | 2025-05-12 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in dzzoffice 2.02.1_SC_UTF8 allows attackers to arbitrarily create user accounts and grant Administrator rights to regular users. | |||||
| CVE-2025-47624 | 1 Apasionados | 1 Dofollow Case By Case | 2025-05-12 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case allows Cross Site Request Forgery. This issue affects DoFollow Case by Case: from n/a through 3.5.1. | |||||
| CVE-2025-47633 | 1 Awin | 1 Awin - Advertiser Tracking For Woocommerce | 2025-05-12 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Awin Awin – Advertiser Tracking for WooCommerce allows Cross Site Request Forgery. This issue affects Awin – Advertiser Tracking for WooCommerce: from n/a through 2.0.0. | |||||
| CVE-2025-2168 | 1 Bdthemes | 1 Ultimate Store Kit | 2025-05-12 | N/A | 4.3 MEDIUM |
| The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-3959 | 1 Withstars | 1 Books-management-system | 2025-05-12 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-3964 | 1 Withstars | 1 Books-management-system | 2025-05-12 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||