Total
8007 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | N/A | 5.3 MEDIUM |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2025-05-01 | N/A | 8.8 HIGH |
| DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords. | |||||
| CVE-2023-7202 | 1 Verygoodplugins | 1 Fatal Error Notify | 2025-05-01 | N/A | 6.1 MEDIUM |
| The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF | |||||
| CVE-2024-42586 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | |||||
| CVE-2024-42585 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component delete_media.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | |||||
| CVE-2024-42578 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component edit_product.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | |||||
| CVE-2024-42576 | 1 Siamonhasan | 1 Warehouse Inventory System | 2025-05-01 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component edit_categorie.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges. | |||||
| CVE-2024-4529 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 5.0 MEDIUM |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks | |||||
| CVE-2024-4530 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 6.3 MEDIUM |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks | |||||
| CVE-2024-4531 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 7.1 HIGH |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks | |||||
| CVE-2024-4532 | 1 Esterox | 1 Business Card | 2025-05-01 | N/A | 6.4 MEDIUM |
| The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks | |||||
| CVE-2025-24358 | 2025-05-01 | N/A | N/A | ||
| gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2. | |||||
| CVE-2021-25931 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 6.8 MEDIUM | 8.8 HIGH |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website. | |||||
| CVE-2021-25930 | 1 Opennms | 2 Horizon, Meridian | 2025-04-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list. | |||||
| CVE-2022-3632 | 1 Digitialpixies | 1 Oauth Client | 2025-04-30 | N/A | 6.5 MEDIUM |
| The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. | |||||
| CVE-2022-35613 | 1 Konker | 1 Konker Platform | 2025-04-30 | N/A | 8.8 HIGH |
| Konker v2.3.9 was to discovered to contain a Cross-Site Request Forgery (CSRF). | |||||
| CVE-2022-2449 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2025-04-30 | N/A | 6.5 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. | |||||
| CVE-2022-44389 | 1 Eyoucms | 1 Eyoucms | 2025-04-30 | N/A | 6.5 MEDIUM |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information. | |||||
| CVE-2022-44387 | 1 Eyoucms | 1 Eyoucms | 2025-04-30 | N/A | 8.8 HIGH |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module. | |||||
| CVE-2024-13146 | 1 Fs-code | 1 Booknetic | 2025-04-30 | N/A | 8.8 HIGH |
| The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack | |||||