Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,314)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8051 1Moc 1Special Feed Items Jun 17, 2026 Sep 17, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads...Show more The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-8047 1Freakingwildchild 1Visual Sound Jun 17, 2026 Sep 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8044 1Rubayathasan 1Infolinks Ad Wrap Jun 17, 2026 Sep 17, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-8043 1Seanschulte 1Vikinghammer Tweet Jun 17, 2026 Sep 17, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads...Show more The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-6862 1Lunary 1Lunary Jun 17, 2026 Sep 13, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the inst...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.Show less
CVE-2024-7423 1Xwp 1Stream Jun 17, 2026 Sep 13, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This...Show more The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-7864 1Pixeljar 1Favicon Generator Jun 17, 2026 Sep 13, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the serve...Show more The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the serverShow less
CVE-2024-7863 1Pixeljar 1Favicon Generator Jun 17, 2026 Sep 13, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on t...Show more The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the serverShow less
CVE-2024-7862 1Kimhuebel 1Blogintroduction Wordpress Plugin Jun 17, 2026 Sep 12, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-7859 1Freakingwildchild 1Visual Sound Jun 17, 2026 Sep 12, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-7820 1Elliot 1Ilc Thickbox Jun 17, 2026 Sep 12, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2024-7817 1Michalaugustyniak 1Misiek Photo Album Jun 17, 2026 Sep 12, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack
CVE-2024-7816 1Adeelraza 1Gixaw Chat Jun 17, 2026 Sep 12, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...Show more The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-6017 1Scriptonite 1Music Request Manager Jun 17, 2026 Sep 12, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads...Show more The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
CVE-2024-3163 1Realestateconnected 1Easy Property Listings Jun 17, 2026 Sep 12, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
CVE-2024-44677 1Eladmin 1Eladmin Jun 17, 2026 Sep 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the DatabaseController.java component.
CVE-2023-2919 1Themeum 1Tutor Lms Jun 17, 2026 Sep 10, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This ma...Show more The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-45504 - - Jun 17, 2026 Sep 10, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended...Show more Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended operations if the user views a malicious page while logged in.Show less
CVE-2024-7689 1Snapshot Backup Project 1Snapshot Backup Jun 17, 2026 Sep 9, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via...Show more The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2024-7688 1Azindex Project 1Azindex Jun 17, 2026 Sep 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack

Previous 1...144145146...466 Next