Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,313)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-6719 1Webgarh 1Offload Videos Jan 5, 2026 May 15, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack
CVE-2024-12750 1Raiserweb 1Competition Form Jun 9, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-12301 1Joomlaserviceprovider 1Jsp Store Locator Jun 9, 2025 May 15, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The JSP Store Locator WordPress plugin through 1.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
CVE-2024-12282 1Smyx 1Wp Connect Jun 9, 2025 May 15, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a...Show more The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-11719 1Couleurcitron 1Tarteaucitron Wp Jun 9, 2025 May 15, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via...Show more The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-11373 1Floriansimunek 1Connexion Logs Jun 9, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Connexion Logs WordPress plugin through 3.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-10677 1Bluetrait 1Blue Trait Event Viewer Jun 12, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-10634 1Nokautpl 1Nokaut Offers Box Jun 9, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Nokaut Offers Box WordPress plugin through 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset the Nokaut Offers Box WordPress plugin throug...Show more The Nokaut Offers Box WordPress plugin through 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset the Nokaut Offers Box WordPress plugin through 1.4.0 via a CSRF attackShow less
CVE-2023-7297 1Reneade 1Twitterposts Nov 13, 2025 May 15, 2025 N/A· v4 3.5 LOW· v3 N/A· v2 The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2023-7229 1Evanliewer 1Illi Link Party! May 27, 2025 May 15, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The illi Link Party! WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2023-7197 1Corbyboy 1Marketing Twitter Bot Jun 11, 2025 May 15, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payload...Show more The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
CVE-2023-7196 1Jonkemp 1Ultimate Noindex Nofollow Tool Jun 11, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2023-7195 1Ani2life 1Wp Reply Notify Jun 11, 2025 May 15, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
CVE-2023-7174 1Abitgone 1Abitgone Commentsafe Jun 11, 2025 May 15, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payload...Show more The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2023-5934 1Travelpayouts 1Travelpayouts Jun 4, 2025 May 15, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some se...Show more The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attackShow less
CVE-2023-2334 2Gsheetconnector Westerndeal 2Easy Digital Downloads Google Sheet Connector Edd Gsheetconnector Jun 11, 2025 May 15, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attack...Show more The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attackShow less
CVE-2025-32922 - - Apr 23, 2026 May 15, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Saleswonder Team: Tobias WP2LEADS wp2leads allows Stored XSS.This issue affects WP2LEADS: from n/a through <= 3.5.0.
CVE-2025-44185 1Mayurik 1Best Employee Management System May 28, 2025 May 15, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/change_pass.php via the password parameter.
CVE-2025-47886 1Jenkins 1Cadence Vmanager Jun 12, 2025 May 14, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and p...Show more A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.Show less
CVE-2025-47708 1Miniorange 1Miniorange 2fa Jun 10, 2025 May 14, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5...Show more Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.Show less

Previous 1...737475...466 Next