Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,334)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-3246 1Litespeedtech 1Litespeed Cache Jun 17, 2026 Jul 24, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthe...Show more The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-6751 1Wpwebinfotech 1Social Auto Poster Jun 17, 2026 Jul 24, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it...Show more The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.Show less
CVE-2024-6271 1Community Events Project 1Community Events Jun 17, 2026 Jul 22, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack
CVE-2024-6244 1Projectzealous 1Pz Frontend Manager Jun 17, 2026 Jul 22, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-5804 - - Jun 17, 2026 Jul 20, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_adm...Show more The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-41597 1Processwire 1Processwire Jun 17, 2026 Jul 19, 2024 N/A· v4 4.2 MEDIUM· v3 N/A· v2 Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.
CVE-2024-41603 1Denkgroot 1Spina Jun 17, 2026 Jul 19, 2024 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Spina CMS v2.18.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the URI /admin/layout.
CVE-2024-41602 1Denkgroot 1Spina Jun 17, 2026 Jul 19, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross Site Request Forgery vulnerability in Spina CMS v.2.18.0 and before allows a remote attacker to escalate privileges via a crafted URL
CVE-2023-7269 1Artplacer 1Artplacer Widget Jun 17, 2026 Jul 19, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The ArtPlacer Widget WordPress plugin before 2.21.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads vi...Show more The ArtPlacer Widget WordPress plugin before 2.21.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
CVE-2024-39090 1Phpgurukul 1Online Shopping Portal Jun 17, 2026 Jul 18, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The PHPGurukul Online Shopping Portal Project version 2.0 contains a vulnerability that allows Cross-Site Request Forgery (CSRF) to lead to Stored Cross-Site Scripting (XSS). An attacker can exploit this vulnerability to...Show more The PHPGurukul Online Shopping Portal Project version 2.0 contains a vulnerability that allows Cross-Site Request Forgery (CSRF) to lead to Stored Cross-Site Scripting (XSS). An attacker can exploit this vulnerability to execute arbitrary JavaScript code in the context of a user's session, potentially leading to account takeover.Show less
CVE-2024-39681 1Boxystudio 1Cooked Jun 17, 2026 Jul 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the A...Show more Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-39680 1Boxystudio 1Cooked Jun 17, 2026 Jul 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the A...Show more Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-39679 1Boxystudio 1Cooked Jun 17, 2026 Jul 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the A...Show more Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-39678 1Boxystudio 1Cooked Jun 17, 2026 Jul 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action han...Show more Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-40119 - - Jun 17, 2026 Jul 17, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the adm...Show more Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.Show less
CVE-2024-5815 1Github 1Enterprise Server Jun 17, 2026 Jul 16, 2024 6.8 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to b...Show more A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.Show less
CVE-2024-40455 1Thinksaas 1Thinksaas Jun 17, 2026 Jul 16, 2024 N/A· v4 2.7 LOW· v3 N/A· v2 An arbitrary file deletion vulnerability in ThinkSAAS v3.7 allows attackers to delete arbitrary files via a crafted request.
CVE-2024-6075 1Tipsandtricks Hq 1Wp Estore Jun 17, 2026 Jul 15, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-5287 1Tipsandtricks Hq 1Wp Affiliate Platform Jun 17, 2026 Jul 13, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in user change them via a CSRF attack
CVE-2024-5284 1Tipsandtricks Hq 1Wp Affiliate Platform Jun 17, 2026 Jul 13, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payload...Show more The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less

Previous 1...153154155...467 Next