Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-34007 1Moodle 1Moodle Jun 17, 2026 May 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.
CVE-2024-34001 1Moodle 1Moodle Jun 17, 2026 May 31, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.
CVE-2024-4426 1Comparisonslider 1Comparison Slider Jun 17, 2026 May 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Comparison Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on several functions hooked to AJAX...Show more The Comparison Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on several functions hooked to AJAX actions. This makes it possible for unauthenticated attackers to change slider titles, delete sliders and modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-4218 - - Jun 17, 2026 May 30, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vul...Show more The AffiEasy plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to plugin improperly releasing the tagged and patched version of the plugin - the vulnerable version is used as the core files, while the patched version was included in a 'trunk' folder. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-3947 1Delower 1Wp To Do Jun 17, 2026 May 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_settings() function. This make...Show more The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_settings() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-3945 1Delower 1Wp To Do Jun 17, 2026 May 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes...Show more The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes it possible for unauthenticated attackers to add new todo items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-3943 1Delower 1Wp To Do Jun 17, 2026 May 30, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_addcomment function. This make...Show more The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_addcomment function. This makes it possible for unauthenticated attackers to add comments to to do items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-5185 - - Jun 17, 2026 May 29, 2024 8.3 HIGH· v4 7.3 HIGH· v3 N/A· v2 The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks,...Show more The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.Show less
CVE-2024-4429 1Microfocus 1Imanager Jun 17, 2026 May 28, 2024 N/A· v4 7.4 HIGH· v3 N/A· v2 Cross-Site Request Forgery vulnerability has been discovered in OpenText™ iManager 3.2.6.0200. This could lead to sensitive information disclosure.
CVE-2024-5428 1Oretnom23 1Simple Online Bidding System Jun 17, 2026 May 28, 2024 6.9 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic was found in SourceCodester Simple Online Bidding System 1.0. Affected by this vulnerability is the function save_product of the file /admin/index.php?page=manage_product of the...Show more A vulnerability classified as problematic was found in SourceCodester Simple Online Bidding System 1.0. Affected by this vulnerability is the function save_product of the file /admin/index.php?page=manage_product of the component HTTP POST Request Handler. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-266383.Show less
CVE-2024-4535 1Krzysztof Furtak 1Kkprogressbar2 Jun 17, 2026 May 27, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-4534 1Krzysztof Furtak 1Kkprogressbar2 Jun 17, 2026 May 27, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS paylo...Show more The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
CVE-2024-4532 1Esterox 1Business Card Jun 17, 2026 May 27, 2024 N/A· v4 6.4 MEDIUM· v3 N/A· v2 The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks
CVE-2024-4531 1Esterox 1Business Card Jun 17, 2026 May 27, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks
CVE-2024-4530 1Esterox 1Business Card Jun 17, 2026 May 27, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks
CVE-2024-4529 1Esterox 1Business Card Jun 17, 2026 May 27, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks
CVE-2024-36255 1Mattermost 1Mattermost Server Jun 17, 2026 May 26, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creatin...Show more Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel.Show less
CVE-2024-4409 - - Jun 17, 2026 May 24, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it...Show more The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2023-7045 1Gitlab 1Gitlab Jun 17, 2026 May 23, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via...Show more A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS).Show less
CVE-2024-35561 1Idccms 1Idccms Jun 17, 2026 May 22, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/ca_deal.php?mudi=add&nohrefStr=close.

Previous 1...162163164...468 Next