Total
9135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-5669 | 1 Read And Understood Project | 1 Read And Understood | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php. | |||||
| CVE-2018-5658 | 1 Responsive Coming Soon Page Project | 1 Responsive Coming Soon Page | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php. | |||||
| CVE-2018-5656 | 1 Weblizar | 1 Pinterest-feeds | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php. | |||||
| CVE-2018-5368 | 1 Srbtranslatin Project | 1 Srbtranslatin | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php. | |||||
| CVE-2018-5361 | 1 Wpglobus | 1 Wpglobus | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php. | |||||
| CVE-2018-5329 | 1 Beims | 1 Contractorweb.net | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | |||||
| CVE-2018-5301 | 1 Magento | 1 Magento | 2026-06-17 | 5.8 MEDIUM | 6.5 MEDIUM |
| Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433. | |||||
| CVE-2018-5285 | 1 Wpscoop | 1 Imageinject | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php. | |||||
| CVE-2018-5123 | 1 Mozilla | 1 Bugzilla | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| A third party website can access information available to a user with access to a restricted bug entry using the image generation in report.cgi in all Bugzilla versions prior to 4.4. | |||||
| CVE-2018-5073 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2026-06-17 | 6.0 MEDIUM | 6.8 MEDIUM |
| Online Ticket Booking has CSRF via admin/movieedit.php. | |||||
| CVE-2018-4066 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable cross-site request forgery vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. An attacker can get an authenticated user to request authenticated pages on the attacker's behalf to trigger this vulnerability. | |||||
| CVE-2018-2474 | 1 Sap | 1 Fiori | 2026-06-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection. | |||||
| CVE-2018-2442 | 1 Sap | 2 Businessobjects Business Intelligence, Internet Graphics Server | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| In SAP BusinessObjects Business Intelligence, versions 4.0, 4.1 and 4.2, while viewing a Web Intelligence report from BI Launchpad, the user session details captured by an HTTP analysis tool could be reused in a HTML page while the user session is still valid. | |||||
| CVE-2018-2001 | 1 Ibm | 1 Curam Social Program Management | 2026-06-17 | 6.8 MEDIUM | 4.3 MEDIUM |
| IBM Cram Social Program Management 6.1.1, 6.2.0, 7.0.4, and 7.0.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154891. | |||||
| CVE-2018-2000 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2026-06-17 | 6.8 MEDIUM | 4.3 MEDIUM |
| IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 154890. | |||||
| CVE-2018-25435 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters. | |||||
| CVE-2018-25397 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts. | |||||
| CVE-2018-25387 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication. | |||||
| CVE-2018-25370 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication. | |||||
| CVE-2018-25363 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions. | |||||