Total
7865 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10892 | 1 Stylemixthemes | 1 Cost Calculator Builder | 2025-05-14 | N/A | 5.4 MEDIUM |
| The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. | |||||
| CVE-2025-2907 | 1 Tychesoftwares | 1 Order Delivery Date Pro For Woocommerce | 2025-05-14 | N/A | 9.8 CRITICAL |
| The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover. | |||||
| CVE-2022-3151 | 1 Wp Custom Cursors Project | 1 Wp Custom Cursors | 2025-05-14 | N/A | 4.3 MEDIUM |
| The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack. | |||||
| CVE-2024-3582 | 1 Mmond | 1 Ungallery | 2025-05-14 | N/A | 4.8 MEDIUM |
| The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-3590 | 1 Themeqx | 1 Letterpress | 2025-05-14 | N/A | 6.1 MEDIUM |
| The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers | |||||
| CVE-2024-3903 | 1 Technologicx | 1 Add Custom Css And Js | 2025-05-14 | N/A | 7.1 HIGH |
| The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-11607 | 1 Harryhe | 1 Gtpayment Donations | 2025-05-14 | N/A | 6.1 MEDIUM |
| The GTPayment Donations WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2022-42070 | 1 Oretnom23 | 1 Online Birth Certificate Management System | 2025-05-14 | N/A | 8.8 HIGH |
| Online Birth Certificate Management System version 1.0 is vulnerable to Cross Site Request Forgery (CSRF). | |||||
| CVE-2022-3149 | 1 Wp Custom Cursors Project | 1 Wp Custom Cursors | 2025-05-14 | N/A | 6.1 MEDIUM |
| The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting | |||||
| CVE-2022-3126 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2025-05-14 | N/A | 4.3 MEDIUM |
| The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf | |||||
| CVE-2025-47204 | 2025-05-14 | N/A | 6.1 MEDIUM | ||
| An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF). | |||||
| CVE-2025-46721 | 2025-05-13 | N/A | N/A | ||
| nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user's behalf. Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the request). | |||||
| CVE-2025-28062 | 2025-05-13 | N/A | 8.1 HIGH | ||
| A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections. | |||||
| CVE-2021-33338 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-05-13 | 5.1 MEDIUM | 7.5 HIGH |
| The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery (CSRF) attacks via the p_auth parameter. | |||||
| CVE-2024-5028 | 1 Cminds | 1 Cm Search And Replace | 2025-05-13 | N/A | 6.5 MEDIUM |
| The CM WordPress Search And Replace Plugin WordPress plugin before 1.3.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2024-5167 | 1 Cminds | 1 Cm E-mail Blacklist | 2025-05-13 | N/A | 8.1 HIGH |
| The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers to make a logged in admin add or delete settings from the blacklist or whitelist menu via a CSRF attack | |||||
| CVE-2022-3082 | 1 Miniorange | 1 Discord Integration | 2025-05-13 | N/A | 6.5 MEDIUM |
| The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example | |||||
| CVE-2024-26450 | 1 Piwigo | 1 Piwigo | 2025-05-13 | N/A | 5.4 MEDIUM |
| An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. | |||||
| CVE-2022-45847 | 1 Wpassist | 1 Countdown Widget | 2025-05-13 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1. | |||||
| CVE-2023-39311 | 1 Avada | 1 Fusion Builder | 2025-05-13 | N/A | 7.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Fusion Builder.This issue affects Fusion Builder: from n/a through 3.11.1. | |||||