Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,349)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-34367 - - Jun 17, 2026 May 6, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Popup Box Team Popup box allows Cross-Site Scripting (XSS).This issue affects Popup box: from n/a through 4.1.2.
CVE-2024-34069 3Debian FedoraprojectPalletsprojects 3Debian Linux FedoraWerkzeug Jun 17, 2026 May 6, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker...Show more Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger. This vulnerability is fixed in 3.0.3.Show less
CVE-2024-33830 1Idccms 1Idccms Jun 17, 2026 May 6, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=clearWebCache.
CVE-2024-33829 1Idccms 1Idccms Jun 17, 2026 May 6, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=updateWebCache.
CVE-2024-3756 1Mf Gig Calendar Project 1Mf Gig Calendar Jun 17, 2026 May 6, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
CVE-2024-34502 2Fedoraproject Mediawiki 2Fedora Mediawiki Jun 17, 2026 May 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even...Show more An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.Show less
CVE-2023-7065 - - Jun 17, 2026 May 4, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Stop Spammers Security \| Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce vali...Show more The Stop Spammers Security \| Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-4086 - - Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when...Show more The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-4083 - - Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Easy Restaurant Table Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation when saving settings. T...Show more The Easy Restaurant Table Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-3215 1Strangerstudios 1Paid Memberships Pro Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing...Show more The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the pmpro_update_level_group_order() function. This makes it possible for unauthenticated attackers to update order levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-2960 1Svs Websoft 1Svs Pricing Tables Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the deletePricingTable() functi...Show more The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the deletePricingTable() function. This makes it possible for unauthenticated attackers to delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-2959 1Svs Websoft 1Svs Pricing Tables Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function...Show more The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function. This makes it possible for unauthenticated attackers to create and edit pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1416 - - Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and in...Show more The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions.Show less
CVE-2024-1415 - - Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.9. This is due to missing or incorrect nonce validat...Show more The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.9. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. These actions may result in form deletion, and lead signup as well as file upload.Show less
CVE-2024-0847 - - Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The 5280 Bootstrap Modal Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in class-sbmm-list-ta...Show more The 5280 Bootstrap Modal Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in class-sbmm-list-table.php. This makes it possible for unauthenticated attackers to bulk delete messages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0613 - - Jun 17, 2026 May 2, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. This is due to missing or incorrect nonce validation on the ajax_delete_field() funct...Show more The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. This is due to missing or incorrect nonce validation on the ajax_delete_field() function. This makes it possible for unauthenticated attackers to delete arbitrary post meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-4128 1Google 1Firebase Command Line Interface Jun 17, 2026 May 2, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and na...Show more This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0 https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0 Show less
CVE-2024-33913 - - Jun 17, 2026 May 2, 2024 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload in Xserver Migrator.This issue affects Xserver Migrator: from n/a through 1.6.1.
CVE-2024-3481 1Wow Company 1Counter Box Jun 17, 2026 May 2, 2024 N/A· v4 5.2 MEDIUM· v3 N/A· v2 The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
CVE-2024-3478 1Wow Company 1Herd Effects Jun 17, 2026 May 2, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks

Previous 1...167168169...468 Next