Total
7225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2233 | 1 Banner Cycler Project | 1 Banner Cycler | 2025-05-05 | N/A | 8.8 HIGH |
| The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link | |||||
| CVE-2022-2541 | 1 Summitmediaconcepts | 1 Ucontext For Amazon | 2025-05-05 | N/A | 8.8 HIGH |
| The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1969 | 1 Script | 1 Mobile Browser Color Select | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
| The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1912 | 1 Smartsoft | 1 Button Widget Smartsoft | 2025-05-05 | N/A | 8.8 HIGH |
| The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-1749 | 1 Wpmk Ajax Finder Project | 1 Wpmk Ajax Finder | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
| The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1. | |||||
| CVE-2022-1900 | 1 Copify | 1 Copify | 2025-05-05 | 6.8 MEDIUM | 8.8 HIGH |
| The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-3940 | 1 Bozdoz | 1 Recaptcha Jetpack | 2025-05-05 | N/A | N/A |
| The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-3941 | 1 Bozdoz | 1 Recaptcha Jetpack | 2025-05-05 | N/A | N/A |
| The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2022-42751 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 8.8 HIGH |
| CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions. | |||||
| CVE-2022-30608 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 8.8 HIGH |
| "IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a "user that the website trusts. IBM X-Force ID: 227295. | |||||
| CVE-2025-4199 | 2025-05-03 | N/A | 6.1 MEDIUM | ||
| The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the 'abundatrade' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-4198 | 2025-05-03 | N/A | 6.1 MEDIUM | ||
| The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-4188 | 2025-05-03 | N/A | 6.1 MEDIUM | ||
| The Advanced Reorder Image Text Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'reorder-simple-image-text-slider-setting' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-41413 | 1 Perfsonar | 1 Perfsonar | 2025-05-02 | N/A | 4.3 MEDIUM |
| perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function. | |||||
| CVE-2024-5033 | 1 Toolstack | 1 Sully | 2025-05-02 | N/A | N/A |
| The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2024-5034 | 1 Toolstack | 1 Sully | 2025-05-02 | N/A | N/A |
| The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
| CVE-2006-5175 | 1 Buffalo-technology | 1 Terastation Hd-htgl Firmware | 2025-05-02 | 7.6 HIGH | N/A |
| Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors. | |||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2025-05-01 | N/A | 4.3 MEDIUM |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | |||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2025-05-01 | N/A | 5.3 MEDIUM |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
| CVE-2022-43031 | 1 Dedecms | 1 Dedecms | 2025-05-01 | N/A | 8.8 HIGH |
| DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add Administrator accounts and modify Admin passwords. | |||||