Total
7643 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44993 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.7.8 versions. | |||||
| CVE-2023-1011 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 6.1 MEDIUM |
| The AI ChatBot WordPress plugin before 4.4.5 does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing attackers to make a logged in admin set XSS payloads in them. | |||||
| CVE-2023-5534 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 4.3 MEDIUM |
| The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-1660 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 6.1 MEDIUM |
| The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard | |||||
| CVE-2023-1651 | 1 Quantumcloud | 1 Wpbot | 2025-05-12 | N/A | 5.4 MEDIUM |
| The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS | |||||
| CVE-2024-13096 | 1 Mch0lic | 1 Wp Finance | 2025-05-12 | N/A | 4.6 MEDIUM |
| The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-12709 | 1 Ombu | 1 Bulk Me Now\! | 2025-05-11 | N/A | 4.3 MEDIUM |
| The Bulk Me Now! WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. | |||||
| CVE-2025-4088 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-05-09 | N/A | 6.5 MEDIUM |
| A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138. | |||||
| CVE-2025-4375 | 2025-05-09 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. This issue affects Pro Cloud Server: earlier than 6.0.165. | |||||
| CVE-2024-2858 | 1 Robbychen | 1 Simple Buttons Creator | 2025-05-08 | N/A | 4.8 MEDIUM |
| The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-2857 | 1 Robbychen | 1 Simple Buttons Creator | 2025-05-08 | N/A | 6.1 MEDIUM |
| The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. | |||||
| CVE-2024-2739 | 1 Mndpsingh287 | 1 Advanced Search | 2025-05-08 | N/A | 8.7 HIGH |
| The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-6136 | 1 Tipsandtricks-hq | 1 Wp Estore | 2025-05-08 | N/A | 5.4 MEDIUM |
| The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2022-43418 | 1 Jenkins | 1 Katalon | 2025-05-08 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2024-3472 | 1 Wow-company | 1 Modal Window | 2025-05-08 | N/A | 5.9 MEDIUM |
| The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2024-3471 | 1 Wow-company | 1 Button Generator | 2025-05-08 | N/A | 3.4 LOW |
| The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack | |||||
| CVE-2024-2405 | 1 Wow-company | 1 Float Menu | 2025-05-08 | N/A | 4.5 MEDIUM |
| The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. | |||||
| CVE-2024-12436 | 1 Marvinlabs | 1 Wp Customer Area | 2025-05-08 | N/A | 4.3 MEDIUM |
| The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-12280 | 1 Marvinlabs | 1 Wp Customer Area | 2025-05-08 | N/A | 4.3 MEDIUM |
| The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack | |||||
| CVE-2024-3481 | 1 Wow-company | 1 Counter Box | 2025-05-08 | N/A | 5.2 MEDIUM |
| The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks | |||||