Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-47305 1Dineshkarki 1Use Any Font Jun 17, 2026 Sep 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Dnesscarkey Use Any Font use-any-font allows Cross Site Request Forgery.This issue affects Use Any Font: from n/a through <= 6.3.08.
CVE-2024-47082 1Strawberryrocks 1Strawberry Jun 17, 2026 Sep 25, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP v...Show more Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.Show less
CVE-2024-20437 1Cisco 1Ios Xe Jun 17, 2026 Sep 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack and execute commands on the CLI of an a...Show more A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack and execute commands on the CLI of an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an already authenticated user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user.Show less
CVE-2024-20414 1Cisco 2Ios Ios Xe Jun 17, 2026 Sep 25, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through th...Show more A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attacker to change the configuration of the affected device.Show less
CVE-2024-46600 1Timgreen 1Dingfanzu Cms Jun 17, 2026 Sep 25, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/doAdminAction.php?act=delCate&id=31
CVE-2024-46485 1Timgreen 1Dingfanzu Cms Jun 17, 2026 Sep 25, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=addCate
CVE-2024-7892 1Vladyslavbondarenko 1Adstxt Jun 17, 2026 Sep 25, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8476 1Wpplugin 1Easy Paypal Events Jun 17, 2026 Sep 25, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() f...Show more The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-7386 1Wpdownloadmanager 1Premium Packages Sell Digital Products Securely Jun 17, 2026 Sep 25, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund...Show more The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.Show less
CVE-2024-8795 1Ba Booking 1Ba Book Everything Jun 17, 2026 Sep 24, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() functi...Show more The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.Show less
CVE-2024-46394 1Frogcms Project 1Frogcms Jun 17, 2026 Sep 19, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add
CVE-2024-46086 1Frogcms Project 1Frogcms Jun 17, 2026 Sep 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/delete/123
CVE-2024-44064 1Likebtn 1Like Button Rating Jun 17, 2026 Sep 17, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LikeBtn Like Button Rating likebtn-like-button.This issue affects Like Button Rating: from n/a through <= 2.6.53.
CVE-2024-46362 1Frogcms Project 1Frogcms Jun 17, 2026 Sep 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/create_directory
CVE-2024-46085 1Frogcms Project 1Frogcms Jun 17, 2026 Sep 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/rename
CVE-2024-8490 1Wp Property Hive 1Propertyhive Jun 17, 2026 Sep 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function....Show more The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-8093 1Lucasgarcia 1Posts Reminder Jun 17, 2026 Sep 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8092 1Alaingonzalez 1Accordion Image Menu Jun 17, 2026 Sep 17, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payload...Show more The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-8091 1Jakesnyder 1Enhanced Search Box Jun 17, 2026 Sep 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8052 1Moc 1Review Ratings Jun 17, 2026 Sep 17, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a...Show more The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less

Previous 1...143144145...466 Next