Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,334)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-6040 1Lollms 1Lollms Web Ui Jun 17, 2026 Aug 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinst...Show more In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.Show less
CVE-2024-6496 1Dmytropopov 1Light Poll Jun 17, 2026 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks when deleting polls, which could allow attackers to make logged in users perform such action via a CSRF attack
CVE-2024-3983 1Vanquish 1Woocommerce Customers Manager Jun 17, 2026 Aug 1, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via...Show more The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacksShow less
CVE-2024-2843 1Vanquish 1Woocommerce Customers Manager Jun 17, 2026 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
CVE-2024-1747 1Vanquish 1Woocommerce Customers Manager Jun 17, 2026 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create cus...Show more The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.Show less
CVE-2024-40883 1Elecom 6Wrc 2533gs2 B Firmware Wrc 2533gs2 W FirmwareWrc 2533gs2v B Firmware+3 more Jun 17, 2026 Aug 1, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-site request forgery vulnerability exists in ELECOM wireless LAN routers. Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unin...Show more Cross-site request forgery vulnerability exists in ELECOM wireless LAN routers. Viewing a malicious page while logging in to the affected product with an administrative privilege, the user may be directed to perform unintended operations such as changing the login ID, login password, etc.Show less
CVE-2024-3083 1Proges 1Sensor Net Connect Firmware V2 Jun 17, 2026 Jul 31, 2024 N/A· v4 8.3 HIGH· v3 N/A· v2 A “CWE-352: Cross-Site Request Forgery (CSRF)” can be exploited by remote attackers to perform state-changing operations with administrative privileges by luring authenticated victims into visiting a malicious web page.
CVE-2024-6412 1Linksoftwarellc 1Html Forms Jun 17, 2026 Jul 31, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-41305 1Wondercms 1Wondercms Jun 17, 2026 Jul 30, 2024 N/A· v4 4.7 MEDIUM· v3 N/A· v2 A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
CVE-2023-38001 1Ibm 1Aspera Orchestrator Jun 17, 2026 Jul 30, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260...Show more IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260206.Show less
CVE-2024-7226 1Oretnom23 1Medicine Tracker System Jun 17, 2026 Jul 30, 2024 6.9 MEDIUM· v4 8.8 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password C...Show more A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability.Show less
CVE-2024-6230 1Wp Master 1Pardakht Delkhah Jun 17, 2026 Jul 30, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVE-2024-5808 1Masdiblogs 1Wp Ajax Contact Form Jun 17, 2026 Jul 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF att...Show more The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF attackShow less
CVE-2024-40815 1Apple 5Ipados Iphone OsMacos+2 more Jun 17, 2026 Jul 29, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 A race condition was addressed with additional validation. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, tvOS 17.6, watchOS 10.6. A malicious attacker with arbitrary read and w...Show more A race condition was addressed with additional validation. This issue is fixed in iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, macOS Ventura 13.6.8, tvOS 17.6, watchOS 10.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.Show less
CVE-2024-5285 1Tipsandtricks Hq 1Wp Affiliate Platform Jun 17, 2026 Jul 29, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The wp-affiliate-platform WordPress plugin before 6.5.2 does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack
CVE-2024-7169 1Oretnom23 1School Fees Payment System Jun 17, 2026 Jul 28, 2024 6.9 MEDIUM· v4 8.8 HIGH· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is p...Show more A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583.Show less
CVE-2024-7161 1Seacms 1Seacms Jun 17, 2026 Jul 28, 2024 6.9 MEDIUM· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The man...Show more A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575.Show less
CVE-2024-6490 1Averta 1Master Slider Jun 17, 2026 Jul 26, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 During testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an unauthorized user to manipulate requests on behalf of the victim and thereby delete all of the sliders...Show more During testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an unauthorized user to manipulate requests on behalf of the victim and thereby delete all of the sliders inside Master Slider WordPress plugin through 3.9.10.Show less
CVE-2024-7106 1Denkgroot 1Spina Jun 17, 2026 Jul 25, 2024 6.9 MEDIUM· v4 8.8 HIGH· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery....Show more A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-7065 1Denkgroot 1Spina Jun 17, 2026 Jul 24, 2024 6.9 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible...Show more A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272346 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less

Previous 1...152153154...467 Next