Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | |||||
| CVE-2021-24766 | 1 404 To 301 Project | 1 404 To 301 | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack | |||||
| CVE-2021-24159 | 1 Rocklobster | 1 Contact Form 7 | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript. | |||||
| CVE-2021-24504 | 1 Wplearnmanager | 1 Wp Learn Manager | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated) | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2021-24179 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. | |||||
| CVE-2021-24251 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2023-11-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example) | |||||
| CVE-2021-24945 | 1 Likebtn | 1 Like Button Rating | 2023-11-07 | 6.0 MEDIUM | 8.0 HIGH |
| The Like Button Rating ? LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. | |||||
| CVE-2021-25924 | 1 Thoughtworks | 1 Gocd | 2023-11-07 | 9.3 HIGH | 8.8 HIGH |
| In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field. | |||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ?????? ?????? ??????? WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues | |||||
| CVE-2021-22512 | 1 Microfocus | 1 Application Automation Tools | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form validation without permission checks. | |||||
| CVE-2021-22500 | 1 Microfocus | 1 Application Performance Management | 2023-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross Site Request Forgery vulnerability in Micro Focus Application Performance Management product, affecting versions 9.40, 9.50 and 9.51. The vulnerability could be exploited by attacker to trick the users into executing actions of the attacker's choosing. | |||||
| CVE-2021-23227 | 1 Php Everywhere Project | 1 Php Everywhere | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions. | |||||
| CVE-2021-21027 | 1 Magento | 1 Magento | 2023-11-07 | 4.3 MEDIUM | N/A |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation. | |||||
| CVE-2021-20102 | 1 Machform | 1 Machform | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Machform prior to version 16 is vulnerable to cross-site request forgery due to a lack of CSRF tokens in place. | |||||
| CVE-2020-8168 | 1 Ui | 51 Ag-hp-2g16, Ag-hp-2g20, Ag-hp-5g23 and 48 more | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Attackers can abuse multiple end-points not protected against cross-site request forgery (CSRF), as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page. | |||||
| CVE-2020-7304 | 1 Mcafee | 1 Data Loss Prevention | 2023-11-07 | 5.2 MEDIUM | 7.6 HIGH |
| Cross site request forgery vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attacker to embed a CRSF script via adding a new label. | |||||
| CVE-2020-6585 | 1 Nagios | 1 Nagios | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| Nagios Log Server 2.1.3 has CSRF. | |||||
| CVE-2020-36755 | 1 Presscustomizr | 1 Customizr | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the czr_fn_post_fields_save() function. This makes it possible for unauthenticated attackers to post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36751 | 1 Jesseeproductions | 1 Coupon Creator | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Coupon Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_meta() function. This makes it possible for unauthenticated attackers to save meta fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||