Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,352)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-52223 1Mailerlite 1Mailerlite Jun 17, 2026 Feb 28, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in MailerLite MailerLite – WooCommerce integration.This issue affects MailerLite – WooCommerce integration: from n/a through 2.0.8.
CVE-2023-51683 1Wpplugin 1Easy Paypal & Stripe Buy Now Button Jun 17, 2026 Feb 28, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Easy PayPal & Stripe Buy Now Button.This issue affects Easy PayPal & Stripe Buy Now Button: from n/a through 1.8.1.
CVE-2023-51681 - - Jun 17, 2026 Feb 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Duplicator Duplicator – WordPress Migration & Backup Plugin.This issue affects Duplicator – WordPress Migration & Backup Plugin: from n/a through 1.5.7.
CVE-2024-24705 - - Jun 17, 2026 Feb 28, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Octa Code Accessibility.This issue affects Accessibility: from n/a through 1.0.6.
CVE-2024-24702 1Sivel 1Pagerestrict Jun 17, 2026 Feb 28, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Matt Martz & Andy Stratton Page Restrict.This issue affects Page Restrict: from n/a through 2.5.5.
CVE-2024-1719 1Wpplugin 1Paypal & Stripe Add On Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and...Show more The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1954 1Oliverpos 1Oliver Pos Jun 17, 2026 Feb 28, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in t...Show more The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0768 1Envothemes 1Envo's Elementor Templates & Widgets For Woocommerce Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the...Show more The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0767 1Envothemes 1Envo's Elementor Templates & Widgets For Woocommerce Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on t...Show more The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0433 1Fabrick 1Gestpay For Woocommerce Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default...Show more The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default_card' function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0432 1Fabrick 1Gestpay For Woocommerce Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card'...Show more The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0431 1Fabrick 1Gestpay For Woocommerce Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_c...Show more The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1943 1Wpmoose 1Yuki Jun 17, 2026 Feb 28, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This...Show more The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1912 1Frenify 1Categorify Jun 17, 2026 Feb 27, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPositio...Show more The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers to update the folder position of categories as well as update the metadata of other taxonomies via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1910 1Frenify 1Categorify Jun 17, 2026 Feb 27, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory funct...Show more The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory function. This makes it possible for unauthenticated attackers to clear categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1909 1Frenify 1Categorify Jun 17, 2026 Feb 27, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory func...Show more The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory function. This makes it possible for unauthenticated attackers to rename categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1907 1Frenify 1Categorify Jun 17, 2026 Feb 27, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory func...Show more The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory function. This makes it possible for unauthenticated attackers to delete categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-1906 1Frenify 1Categorify Jun 17, 2026 Feb 27, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory functio...Show more The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory function. This makes it possible for unauthenticated attackers to add categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2023-7203 1Rednao 1Smart Forms Jun 17, 2026 Feb 27, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting...Show more The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.Show less
CVE-2023-7202 1Verygoodplugins 1Fatal Error Notify Jun 17, 2026 Feb 27, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email add...Show more The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRFShow less

Previous 1...188189190...468 Next