Total
8073 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9898 | 2025-09-29 | N/A | 4.3 MEDIUM | ||
| The cForms – Light speed fast Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the cforms_api function. This makes it possible for unauthenticated attackers to modify forms and their settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-9896 | 2025-09-29 | N/A | 4.3 MEDIUM | ||
| The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-59845 | 2025-09-29 | N/A | 8.2 HIGH | ||
| Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3. | |||||
| CVE-2025-9893 | 2025-09-29 | N/A | 4.3 MEDIUM | ||
| The VM Menu Reorder plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the vm_set_to_default function. This makes it possible for unauthenticated attackers to reset all menu reordering settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-43192 | 2025-09-29 | N/A | 6.5 MEDIUM | ||
| IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2025-9899 | 2025-09-29 | N/A | 6.1 MEDIUM | ||
| The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for unauthenticated attackers to create or modify feed entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-10498 | 2025-09-29 | N/A | 4.3 MEDIUM | ||
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-51144 | 2025-09-29 | N/A | 8.8 HIGH | ||
| Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0. | |||||
| CVE-2024-24336 | 2025-09-29 | N/A | 8.1 HIGH | ||
| A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. | |||||
| CVE-2008-7082 | 1 Mybb | 1 Mybb | 2025-09-26 | 6.8 MEDIUM | N/A |
| MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header. | |||||
| CVE-2025-60115 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in instapagedev Instapage Plugin allows Cross Site Request Forgery. This issue affects Instapage Plugin: from n/a through 3.5.12. | |||||
| CVE-2025-10752 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-60137 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Galaxy Weblinks Post Featured Video allows Cross Site Request Forgery. This issue affects Post Featured Video: from n/a through 1.7. | |||||
| CVE-2025-60111 | 2025-09-26 | N/A | 8.8 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266. | |||||
| CVE-2025-58914 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2. | |||||
| CVE-2025-10377 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-60171 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through 1.2.10. | |||||
| CVE-2025-60113 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in grooni Groovy Menu allows Cross Site Request Forgery. This issue affects Groovy Menu: from n/a through 1.4.3. | |||||
| CVE-2025-60170 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0. | |||||
| CVE-2025-60117 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in TangibleWP Vehica Core allows Cross Site Request Forgery. This issue affects Vehica Core: from n/a through 1.0.100. | |||||