Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,313)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-1305 1Spicethemes 1Newsblogger May 6, 2025 May 1, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_...Show more The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-32354 1Synacor 1Zimbra Collaboration Suite Jun 11, 2025 Apr 29, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This...Show more In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.Show less
CVE-2025-4088 1Mozilla 2Firefox Thunderbird Apr 13, 2026 Apr 29, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site...Show more A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.Show less
CVE-2025-3997 - - Apr 29, 2025 Apr 28, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads t...Show more A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-3979 1Lecms 1Lecms May 12, 2025 Apr 27, 2025 5.3 MEDIUM· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-password-ajax-1 of the component Password Change Handler. The manipulation leads to...Show more A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-password-ajax-1 of the component Password Change Handler. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-3964 1Withstars 1Books Management System May 12, 2025 Apr 27, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation le...Show more A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-3959 1Withstars 1Books Management System May 12, 2025 Apr 27, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads...Show more A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-2907 1Tychesoftwares 1Order Delivery Date Pro For Woocommerce May 14, 2025 Apr 26, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Da...Show more The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.Show less
CVE-2025-3638 1Moodle 1Moodle Jun 16, 2025 Apr 25, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.
CVE-2025-3635 1Moodle 1Moodle Jun 24, 2025 Apr 25, 2025 N/A· v4 3.5 LOW· v3 N/A· v2 A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
CVE-2025-46547 1Sherparpa 1Sherpa Orchestrator Oct 16, 2025 Apr 25, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.
CVE-2025-46530 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog Remote Attachment hacklog-remote-attachment allows Stored XSS.This issue affects Hacklog Remote Attachment: from n/a through <= 1.3.2.
CVE-2025-46528 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Steve Availability Calendar availability allows Stored XSS.This issue affects Availability Calendar: from n/a through <= 0.2.4.
CVE-2025-46524 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in stesvis WP Filter Post Category wp-filter-post-categories allows Stored XSS.This issue affects WP Filter Post Category: from n/a through <= 2.1.4.
CVE-2025-46522 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Billy Bryant Tabs gt-tabs allows Stored XSS.This issue affects Tabs: from n/a through <= 4.0.3.
CVE-2025-46520 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies related-posts-via-taxonomies allows Stored XSS.This issue affects Related Posts via Taxonomies: from n/a through <= 1.0.1.
CVE-2025-46516 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in silencecm Twitter Card Generator twitter-card-generator allows Stored XSS.This issue affects Twitter Card Generator: from n/a through <= 1.0.5.
CVE-2025-46514 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in milat Milat jQuery Automatic Popup milat-jquery-automatic-popup allows Stored XSS.This issue affects Milat jQuery Automatic Popup: from n/a through <= 1.3.1.
CVE-2025-46513 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Codebangers All in One Time Clock Lite aio-time-clock-lite allows Cross Site Request Forgery.This issue affects All in One Time Clock Lite: from n/a through < 1.3.326.
CVE-2025-46512 - - Apr 23, 2026 Apr 24, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Shamim Hasan Custom Functions Plugin custom-functions allows Stored XSS.This issue affects Custom Functions Plugin: from n/a through <= 1.1.

Previous 1...777879...466 Next