Total
7746 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6001 | 2025-06-12 | N/A | 8.3 HIGH | ||
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager. | |||||
| CVE-2025-41661 | 2025-06-12 | N/A | 8.8 HIGH | ||
| An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint event_mail_test). | |||||
| CVE-2024-8398 | 1 Philipwalton | 1 Simple Nav Archives | 2025-06-12 | N/A | 4.3 MEDIUM |
| The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-8286 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 6.5 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks | |||||
| CVE-2024-8245 | 1 Gamipress | 1 Gamipress - Reset User | 2025-06-12 | N/A | 4.3 MEDIUM |
| The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-25417 | 1 Flusity | 1 Flusity | 2025-06-12 | N/A | 8.8 HIGH |
| flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_translation.php. | |||||
| CVE-2024-10677 | 1 Bluetrait | 1 Blue Trait Event Viewer | 2025-06-12 | N/A | 4.3 MEDIUM |
| The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2025-47886 | 1 Jenkins | 1 Cadence Vmanager | 2025-06-12 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. | |||||
| CVE-2025-32354 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | N/A | 8.8 HIGH |
| In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website. | |||||
| CVE-2023-7174 | 1 Abitgone | 1 Abitgone Commentsafe | 2025-06-11 | N/A | 7.1 HIGH |
| The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2023-7195 | 1 Ani2life | 1 Wp-reply Notify | 2025-06-11 | N/A | 4.3 MEDIUM |
| The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. | |||||
| CVE-2023-7196 | 1 Jonkemp | 1 Ultimate Noindex Nofollow Tool | 2025-06-11 | N/A | 4.3 MEDIUM |
| The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2023-7197 | 1 Corbyboy | 1 Marketing Twitter Bot | 2025-06-11 | N/A | 7.1 HIGH |
| The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-2334 | 2 Gsheetconnector, Westerndeal | 2 Edd Gsheetconnector, Easy Digital Downloads Google Sheet Connector | 2025-06-11 | N/A | 5.4 MEDIUM |
| The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack | |||||
| CVE-2022-1617 | 1 Usabilitydynamics | 1 Wp-invoice | 2025-06-11 | N/A | 6.1 MEDIUM |
| The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them | |||||
| CVE-2025-32501 | 2025-06-11 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in dimafreund RentSyst allows Stored XSS.This issue affects RentSyst: from n/a through 2.0.92. | |||||
| CVE-2023-6946 | 1 Unalignedcode | 1 Autotitle | 2025-06-11 | N/A | 8.8 HIGH |
| The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2023-5006 | 1 Sarveshmrao | 1 Wp Discord Invite | 2025-06-11 | N/A | 6.5 MEDIUM |
| The WP Discord Invite WordPress plugin before 2.5.1 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request. | |||||
| CVE-2024-7984 | 1 Ultimatewpsms | 1 Joy Of Text | 2025-06-11 | N/A | 4.3 MEDIUM |
| The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-3932 | 2025-06-11 | 2.6 LOW | 3.1 LOW | ||
| A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component. | |||||