Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,308)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-57892 - - Apr 23, 2026 Aug 22, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds simple-feed-stats allows Cross Site Request Forgery.This issue affects Simple Statistics for Feeds: from n/a through <= 20250322.
CVE-2025-57885 - - Apr 23, 2026 Aug 22, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Cross Site Request Forgery.This issue affects Fluent Support: from n/a through <= 1.9.1.
CVE-2025-55744 1Webkul 1Unopim Aug 22, 2025 Aug 21, 2025 6.9 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). This vulnera...Show more UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). This vulnerability is fixed in 0.2.1.Show less
CVE-2025-8592 - - Aug 22, 2025 Aug 21, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This...Show more The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This makes it possible for unauthenticated attackers to install plugins from the repository via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-50902 1Old Peanut 1Open Shop Oct 9, 2025 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross Site Request Forgery (CSRF) vulnerability in old-peanut Open-Shop (aka old-peanut/wechat_applet__open_source) thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message.
CVE-2025-43748 1Liferay 2Digital Experience Platform Liferay Portal Dec 16, 2025 Aug 20, 2025 7.1 HIGH· v4 6.8 MEDIUM· v3 N/A· v2 Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through u...Show more Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request ForgeryShow less
CVE-2025-54174 1Opensolution 1Quick.cms Sep 8, 2025 Aug 20, 2025 5.1 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a mal...Show more QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.Show less
CVE-2025-8102 - - Aug 20, 2025 Aug 20, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sen...Show more The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-54052 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows PHP Local File Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through <=...Show more Cross-Site Request Forgery (CSRF) vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows PHP Local File Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through <= 5.0.0.Show less
CVE-2025-49896 - - Apr 28, 2026 Aug 20, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in wptasker WP Discord Post Plus – Supports Unlimited Channels allows Cross Site Request Forgery. This issue affects WP Discord Post Plus – Supports Unlimited Channels: f...Show more Cross-Site Request Forgery (CSRF) vulnerability in wptasker WP Discord Post Plus – Supports Unlimited Channels allows Cross Site Request Forgery. This issue affects WP Discord Post Plus – Supports Unlimited Channels: from n/a through 1.0.2.Show less
CVE-2025-49426 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dahz Kitring kitring allows PHP Local File Inclusion.This issue affects Kitring: from n/a through <...Show more Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dahz Kitring kitring allows PHP Local File Inclusion.This issue affects Kitring: from n/a through <= 2.8.Show less
CVE-2025-49399 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Cross Site Request Forgery.This issue affects NEX-Forms: from n/a through <= 9.1.3.
CVE-2025-49391 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Cross Site Request Forgery.This issue affects Sign-up Sheets: from n/a through <= 2.3.3.
CVE-2025-49382 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in DexignZone JobZilla - Job Board WordPress Theme jobzilla allows Privilege Escalation.This issue affects JobZilla - Job Board WordPress Theme: from n/a through <= 2.0.
CVE-2025-49381 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect adstxt-guru-connect allows Cross Site Request Forgery.This issue affects ads.txt Guru Connect: from n/a through <= 1.1.1.
CVE-2025-43745 1Liferay 2Digital Experience Platform Liferay Portal Dec 15, 2025 Aug 19, 2025 6.9 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024...Show more A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.Show less
CVE-2025-7686 - - Aug 18, 2025 Aug 16, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The weichuncai(WP伪春菜) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This make...Show more The weichuncai(WP伪春菜) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-7684 - - Aug 18, 2025 Aug 16, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_ar...Show more The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-7683 - - Aug 18, 2025 Aug 16, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes i...Show more The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-7668 - - Aug 18, 2025 Aug 16, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Linux Promotional Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'inux-promotional-plugi...Show more The Linux Promotional Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'inux-promotional-plugin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less

Previous 1...565758...466 Next