Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-28948 | 2025-06-06 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in codedraft Mediabay - WordPress Media Library Folders allows Reflected XSS. This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4. | |||||
| CVE-2025-28958 | 2025-06-06 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10. | |||||
| CVE-2025-5019 | 2025-06-06 | N/A | 5.4 MEDIUM | ||
| The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-2935 | 2025-06-06 | N/A | 5.4 MEDIUM | ||
| The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-36513 | 2025-06-06 | N/A | N/A | ||
| Cross-site request forgery vulnerability exists in surveillance cameras provided by i-PRO Co., Ltd.. If a user views a crafted page while logged in to the affected product, unintended operations may be performed. | |||||
| CVE-2024-54356 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2025-06-05 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in vCita.com Online Booking & Scheduling Calendar for WordPress by vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5. | |||||
| CVE-2024-37235 | 1 Groundhogg | 1 Groundhogg | 2025-06-05 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg allows Cross Site Request Forgery.This issue affects Groundhogg: from n/a through 3.4.2.3. | |||||
| CVE-2024-56229 | 1 Searchiq | 1 Searchiq | 2025-06-05 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Searchiq SearchIQ.This issue affects SearchIQ: from n/a through 4.6. | |||||
| CVE-2025-46257 | 2025-06-05 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in BdThemes Element Pack Pro allows Cross Site Request Forgery.This issue affects Element Pack Pro: from n/a before 8.0.0. | |||||
| CVE-2022-32555 | 1 Unisys | 1 Data Exchange Management Studio | 2025-06-05 | N/A | 8.8 HIGH |
| Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have an Anti-CSRF token to authenticate the POST request. Thus, a cross-site request forgery attack could occur. | |||||
| CVE-2024-22817 | 1 Flycms Project | 1 Flycms | 2025-06-05 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/email/email_conf_updagte | |||||
| CVE-2024-9943 | 1 Multivendorx | 1 Multivendorx | 2025-06-05 | N/A | 6.3 MEDIUM |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. This makes it possible for unauthenticated attackers to update vendor account details, create vendor accounts, and delete arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-22699 | 1 Flycms Project | 1 Flycms | 2025-06-05 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/update_group_save. | |||||
| CVE-2024-12545 | 1 Appsmav | 1 Scratch \& Win | 2025-06-05 | N/A | 5.4 MEDIUM |
| The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2018-18760 | 1 Saltos | 1 Rhinos | 2025-06-05 | 4.3 MEDIUM | 6.5 MEDIUM |
| RhinOS 3.0 build 1190 allows CSRF. | |||||
| CVE-2024-9233 | 1 Gsplugins | 1 Logo Slider | 2025-06-04 | N/A | N/A |
| The Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-9450 | 1 Syntactics | 1 Free Booking Plugin For Hotels\, Restaurant And Car Rental | 2025-06-04 | N/A | N/A |
| The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack | |||||
| CVE-2025-2247 | 1 Mantus667 | 1 Wp-pmanager | 2025-06-04 | N/A | N/A |
| The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2025-4580 | 1 Dimdavid | 1 File Provider | 2025-06-04 | N/A | N/A |
| The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2025-1557 | 1 Ofcms Project | 1 Ofcms | 2025-06-04 | N/A | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||