Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,348)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-40601 1Mediawiki 1Mediawiki Jun 17, 2026 Jul 7, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API modules.
CVE-2024-5616 1Mudler 1Localai Jun 17, 2026 Jul 6, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, a...Show more A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.Show less
CVE-2024-39023 1Idccms 1Idccms Jun 17, 2026 Jul 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/info_deal.php?mudi=add&nohrefStr=close
CVE-2024-39022 1Idccms 1Idccms Jun 17, 2026 Jul 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/infoSys_deal.php?mudi=deal
CVE-2024-39021 1Idccms 1Idccms Jun 17, 2026 Jul 5, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/vpsApiData_deal.php?mudi=del
CVE-2024-39020 1Idccms 1Idccms Jun 17, 2026 Jul 5, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/vpsApiData_deal.php?mudi=rev&nohrefStr=close
CVE-2024-39019 1Idccms 1Idccms Jun 17, 2026 Jul 5, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/idcProData_deal.php?mudi=del
CVE-2024-27717 1Eskooly 1Eskooly Jun 17, 2026 Jul 5, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component.
CVE-2024-5943 1Kylephillips 1Nested Pages Jun 17, 2026 Jul 4, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missi...Show more The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-38345 - - Jun 17, 2026 Jul 4, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is...Show more A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site.Show less
CVE-2024-38344 - - Jun 17, 2026 Jul 4, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is en...Show more A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site.Show less
CVE-2024-2376 12code 1Wpqa Builder Jun 17, 2026 Jul 3, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-2235 12code 1Himer Jun 17, 2026 Jul 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack
CVE-2024-2233 12code 1Himer Jun 17, 2026 Jul 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group...Show more The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a groupShow less
CVE-2024-2040 12code 1Himer Jun 17, 2026 Jul 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack
CVE-2024-4543 1Yeken 1Snippet Shortcodes Jun 17, 2026 Jul 3, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes....Show more The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-39326 - - Jun 17, 2026 Jul 2, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vu...Show more SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue. Show less
CVE-2024-39119 1Idccms 1Idccms Jun 17, 2026 Jul 2, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via admin/info_deal.php?mudi=rev&nohrefStr=close.
CVE-2024-5767 1Sitetweet Project 1Sitetweet Jun 17, 2026 Jul 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...Show more The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
CVE-2024-23737 1Savignano 1S Notify Jun 17, 2026 Jul 1, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Request Forgery (CSRF) vulnerability in savignano S/Notify before 4.0.2 for Jira allows attackers to allows attackers to manipulate a user's S/MIME certificate of PGP key via malicious link or email.

Previous 1...157158159...468 Next