Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-28861 1Bhzad 1Wp Jquery Persian Datepicker Apr 23, 2026 Mar 11, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0.
CVE-2025-28860 1Ppdpurveyor 1Google News Editors Picks Feed Generator Apr 23, 2026 Mar 11, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator:...Show more Cross-Site Request Forgery (CSRF) vulnerability in PPDPurveyor Google News Editors Picks Feed Generator google-news-editors-picks-news-feeds allows Stored XSS.This issue affects Google News Editors Picks Feed Generator: from n/a through <= 2.1.Show less
CVE-2025-28859 1Codevibrant 1Maintenance Notice Apr 23, 2026 Mar 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in CodeVibrant Maintenance Notice maintenance-notice allows Cross Site Request Forgery.This issue affects Maintenance Notice: from n/a through <= 1.0.6.
CVE-2025-28857 1Rankchecker 1Rankchecker Apr 23, 2026 Mar 11, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in rankchecker Rankchecker.io Integration rankchecker-io-integration allows Stored XSS.This issue affects Rankchecker.io Integration: from n/a through <= 1.0.9.
CVE-2025-28856 1W3counter 1W3counter Apr 23, 2026 Mar 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats blog-stats-by-w3counter allows Cross Site Request Forgery.This issue affects W3Counter Free Real-Time Web Stats: from n/a...Show more Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats blog-stats-by-w3counter allows Cross Site Request Forgery.This issue affects W3Counter Free Real-Time Web Stats: from n/a through <= 4.1.Show less
CVE-2025-25928 1Openmrs 1Openmrs Jul 7, 2025 Mar 11, 2025 N/A· v4 8.0 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a...Show more A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a low-privileged account to an administrative role by leveraging the CSRF vulnerability at the /admin/users/user.form endpoint.Show less
CVE-2025-25927 1Openmrs 1Openmrs May 21, 2025 Mar 11, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request.
CVE-2025-25748 1Digitaldruid 1Hoteldruid Jan 29, 2026 Mar 11, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of or...Show more A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer validation and the absence of CSRF tokens. NOTE: this is disputed because there is an id_sessione CSRF token.Show less
CVE-2023-48790 1Fortinet 1Fortindr Jul 22, 2025 Mar 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized ac...Show more A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests.Show less
CVE-2025-27912 1Datalust 1Seq Oct 10, 2025 Mar 11, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, o...Show more An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, or (2) when username/password or Active Directory authentication is in use and a user visits a compromised/malicious site under the same effective top-level domain as the Seq server. Exploitation of the vulnerability allows the attacker to conduct impersonation attacks and perform actions in Seq on behalf of the targeted user.Show less
CVE-2024-13580 1Xavivars 1Xv Random Quotes Aug 29, 2025 Mar 11, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack
CVE-2024-13436 - - Mar 11, 2025 Mar 11, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. This mak...Show more The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-27910 1Tianti Project 1Tianti May 21, 2025 Mar 10, 2025 N/A· v4 8.0 HIGH· v3 N/A· v2 tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/upd/status. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request.
CVE-2025-25907 1Tianti Project 1Tianti May 21, 2025 Mar 10, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request.
CVE-2025-26910 1Iqonic 1Wpbookit Apr 23, 2026 Mar 10, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
CVE-2025-24387 1Otrs 1Otrs Mar 24, 2025 Mar 10, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send...Show more A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.xShow less
CVE-2025-1926 1Pagelayer 1Pagelayer May 26, 2025 Mar 10, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validati...Show more The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2025-1382 1Lordlinus 1Contact Us Jan 9, 2026 Mar 9, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS paylo...Show more The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2025-1362 1Tahminajannat 1Url Shortener \| Conversion Tracking \| Ab Testing \| Woocommerce May 21, 2025 Mar 9, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The URL Shortener \| Conversion Tracking \| AB Testing \| WooCommerce WordPress plugin through 9.0.2 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted ac...Show more The URL Shortener \| Conversion Tracking \| AB Testing \| WooCommerce WordPress plugin through 9.0.2 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacksShow less
CVE-2024-11640 1E4jconnect 1Vikrentcar Mar 11, 2025 Mar 8, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save'...Show more The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.Show less

Previous 1...99100101...466 Next