Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25010 | 1 Postsnippets | 1 Post Snippets | 2022-03-08 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-0328 | 1 Simple-membership-plugin | 1 Simple Membership | 2022-03-08 | 4.3 MEDIUM | 4.7 MEDIUM |
| The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24688 | 1 Orange-form Project | 1 Orange-form | 2022-03-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it) | |||||
| CVE-2021-24704 | 1 Orange-form Project | 1 Orange-form | 2022-03-07 | 6.8 MEDIUM | 8.8 HIGH |
| In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example | |||||
| CVE-2021-24803 | 1 Core Tweaks Wp Setup Project | 1 Core Tweaks Wp Setup | 2022-03-07 | 6.8 MEDIUM | 8.8 HIGH |
| The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks | |||||
| CVE-2021-24823 | 1 Schiocco | 1 Support Board | 2022-03-07 | 4.9 MEDIUM | 8.1 HIGH |
| The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files | |||||
| CVE-2021-24913 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2022-03-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media. | |||||
| CVE-2021-46398 | 1 Filebrowser | 1 Filebrowser | 2022-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE. | |||||
| CVE-2022-24342 | 1 Jetbrains | 1 Teamcity | 2022-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible. | |||||
| CVE-2022-24947 | 1 Apache | 1 Jspwiki | 2022-03-04 | 6.8 MEDIUM | 8.8 HIGH |
| Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later. | |||||
| CVE-2022-21179 | 1 Ec-cube | 1 E-mail Newsletter Management | 2022-03-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via a specially crafted page, and Mail Magazine Templates and/or transmitted history information may be deleted unintendedly. | |||||
| CVE-2021-4030 | 1 Zyxel | 4 Nbg6816, Nbg6816 Firmware, Nbg6817 and 1 more | 2022-03-02 | 6.8 MEDIUM | 8.8 HIGH |
| A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts. | |||||
| CVE-2022-25599 | 1 Spiffyplugins | 1 Spiffy Calendar | 2022-03-01 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0). | |||||
| CVE-2022-23983 | 1 Wp-buy | 1 Wp Content Copy Protection \& No Right Click | 2022-03-01 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin (versions <= 3.4.4). | |||||
| CVE-2022-0313 | 1 Wow-estore | 1 Float Menu | 2022-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2022-0199 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2022-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack | |||||
| CVE-2022-0134 | 1 Bologer | 1 Anycomment | 2022-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack | |||||
| CVE-2021-25108 | 1 Ip2location | 1 Country Blocker | 2022-02-25 | 5.8 MEDIUM | 7.1 HIGH |
| The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | |||||
| CVE-2022-0638 | 1 Microweber | 1 Microweber | 2022-02-25 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-39124 | 1 Atlassian | 2 Data Center, Jira | 2022-02-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Cross-Site Request Forgery (CSRF) failure retry feature of Atlassian Jira Server and Data Center before version 8.16.0 allows remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a crafted request. | |||||