Total
7747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34807 | 1 Codebard | 1 Fast Custom Social Share | 2025-03-11 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in CodeBard Fast Custom Social Share by CodeBard.This issue affects Fast Custom Social Share by CodeBard: from n/a through 1.1.2. | |||||
| CVE-2024-1976 | 1 Marketingoptimizer | 1 Marketing Optimizer | 2025-03-11 | N/A | 4.3 MEDIUM |
| The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-54139 | 1 Combodo | 1 Itop | 2025-03-11 | N/A | 7.9 HIGH |
| Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue. | |||||
| CVE-2024-0592 | 1 Never5 | 1 Related Posts | 2025-03-11 | N/A | 5.4 MEDIUM |
| The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handle_create_link() function. This makes it possible for unauthenticated attackers to add related posts to other posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This ultimately makes it possible for attackers to view draft and password protected posts. | |||||
| CVE-2023-48790 | 2025-03-11 | N/A | 7.5 HIGH | ||
| A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. | |||||
| CVE-2024-1889 | 1 Sma | 4 Clcon-10, Clcon-10 Firmware, Clcon-s-10 and 1 more | 2025-03-11 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery vulnerability in SMA Cluster Controller, affecting version 01.05.01.R. This vulnerability could allow an attacker to send a malicious link to an authenticated user to perform actions with these user permissions on the affected device. | |||||
| CVE-2024-49779 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 4.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to bypass security restrictions, caused by improper validation and management of authentication cookies. By modifying the CSRF token and Session Id cookie parameters using the cookies of another user, a remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the vulnerable application. | |||||
| CVE-2024-0827 | 1 Hammadh | 1 Play.ht | 2025-03-11 | N/A | 4.3 MEDIUM |
| The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-0830 | 1 Najeebmedia | 1 Comments Extra Fields | 2025-03-11 | N/A | 4.3 MEDIUM |
| The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing or incorrect nonce validation on several ajax actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. As a result, they may modify comment form fields and update plugin settings. | |||||
| CVE-2025-27912 | 2025-03-11 | N/A | 8.8 HIGH | ||
| An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, or (2) when username/password or Active Directory authentication is in use and a user visits a compromised/malicious site under the same effective top-level domain as the Seq server. Exploitation of the vulnerability allows the attacker to conduct impersonation attacks and perform actions in Seq on behalf of the targeted user. | |||||
| CVE-2024-13436 | 2025-03-11 | N/A | 6.1 MEDIUM | ||
| The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-44999 | 1 Woocommerce | 1 Stripe Payment Gateway | 2025-03-10 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0. | |||||
| CVE-2023-27295 | 1 Opencats | 1 Opencats | 2025-03-10 | N/A | 5.4 MEDIUM |
| Cross-site request forgery is facilitated by OpenCATS failure to require CSRF tokens in POST requests. An attacker can exploit this issue by creating a dummy page that executes Javascript in an authenticated user's session when visited. | |||||
| CVE-2022-48309 | 1 Sophos | 1 Connect | 2025-03-07 | N/A | 4.3 MEDIUM |
| A CSRF vulnerability allows malicious websites to retrieve logs and technical support archives in Sophos Connect versions older than 2.2.90. | |||||
| CVE-2024-12634 | 2025-03-07 | N/A | 6.1 MEDIUM | ||
| The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 2.0.59. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-0748 | 2025-03-07 | N/A | 4.3 MEDIUM | ||
| The Homey theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.3. This is due to missing or incorrect nonce validation on the 'homey_verify_user_manually' function. This makes it possible for unauthenticated attackers to update verify an user via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-2042 | 2025-03-06 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability has been found in huang-yk student-manage 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0801 | 1 Ratemyagent | 1 Ratemyagent | 2025-03-06 | N/A | 4.3 MEDIUM |
| The RateMyAgent Official plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.0. This is due to missing or incorrect nonce validation on the 'rma-settings-wizard'. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4059 | 1 Cozmoslabs | 1 Profile Builder | 2025-03-06 | N/A | 4.3 MEDIUM |
| The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog | |||||
| CVE-2022-4265 | 1 Gopostmatic | 1 Replyable | 2025-03-06 | N/A | 8.8 HIGH |
| The Replyable WordPress plugin before 2.2.10 does not validate the class name submitted by the request when instantiating an object in the prompt_dismiss_notice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could also be done via a CSRF vector against any authenticated user | |||||