Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,358)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-22304 1Borbis 1Freshmail For Wordpress Jun 17, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.
CVE-2024-22291 1Marcomilesi 1Browser Theme Color Jun 17, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Browser Theme Color.This issue affects Browser Theme Color: from n/a through 1.3.
CVE-2024-22285 1Elisebosse 1Frontpage Manager Jun 17, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Elise Bosse Frontpage Manager.This issue affects Frontpage Manager: from n/a through 1.3.
CVE-2024-22143 1Wpspellcheck 1Wpspellcheck Jun 17, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check.This issue affects WP Spell Check: from n/a through 9.17.
CVE-2024-22290 1Custom Dashboard Widgets Project 1Custom Dashboard Widgets Jun 17, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.
CVE-2024-22287 1Ludek 1Better Anchor Links Jun 17, 2026 Jan 31, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Luděk Melichar Better Anchor Links allows Cross-Site Scripting (XSS).This issue affects Better Anchor Links: from n/a through 1.7.5.
CVE-2024-22643 1Seopanel 1Seo Panel Jun 17, 2026 Jan 30, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) vulnerability in SEO Panel version 4.10.0 allows remote attackers to perform unauthorized user password resets.
CVE-2023-51813 1Free And Open Source Inventory Management System Project 1Free And Open Source Inventory Management System Jun 17, 2026 Jan 30, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Cross Site Request Forgery (CSRF) vulnerability in Free Open-Source Inventory Management System v.1.0 allows a remote attacker to execute arbitrary code via the staff_list parameter in the index.php component.
CVE-2023-7074 1Giovambattistafazioli 1Wp Social Bookmark Menu Jun 17, 2026 Jan 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2023-6946 1Unalignedcode 1Autotitle Jun 17, 2026 Jan 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2023-6633 1Sidenotesproject 1Side Notes Jun 17, 2026 Jan 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes,...Show more The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacksShow less
CVE-2023-6503 1Paulgriffinpetty 1Wp Plugin Lister Jun 17, 2026 Jan 29, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads vi...Show more The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.Show less
CVE-2023-6391 1Jeremiahorem 1Custom User Css Jun 17, 2026 Jan 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2023-6390 1Jonathonkemp 1Wordpress Users Jun 17, 2026 Jan 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2024-0667 110web 1Form Maker Jun 17, 2026 Jan 27, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorre...Show more The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-0880 1100296 1Qdbcrm Jun 17, 2026 Jan 25, 2024 N/A· v4 8.8 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/edit?id=2 of the component Password Reset. The manipulation leads...Show more A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/edit?id=2 of the component Password Reset. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252032. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-0624 1Strangerstudios 1Paid Memberships Pro Jun 17, 2026 Jan 25, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missin...Show more The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validation on the pmpro_update_level_order() function. This makes it possible for unauthenticated attackers to update the order of levels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2024-23902 1Jenkins 1Github Branch Source Jun 17, 2026 Jan 24, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL.
CVE-2023-6625 1Gravitymaster 1Product Enquiry For Woocommerce Jun 17, 2026 Jan 22, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack
CVE-2024-0623 1Vektor Inc 1Vk Block Patterns Jun 17, 2026 Jan 20, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache(...Show more The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the patterns cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less

Previous 1...193194195...468 Next