Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,360)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-1695 1Tipsandtricks Hq 1Wp Simple Adsense Insertion Jun 17, 2026 Jun 8, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via...Show more The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.Show less
CVE-2022-1577 1Deliciousbrains 1Database Backup Jun 17, 2026 Jun 8, 2022 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. T...Show more The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. Or disable the automatic backup scheduleShow less
CVE-2022-1570 1Files Download Delay Project 1Files Download Delay Jun 17, 2026 Jun 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Files Download Delay WordPress plugin before 1.0.7 does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action.
CVE-2022-1424 12code 1Ask Me Jun 17, 2026 Jun 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site.
CVE-2022-1422 12code 1Discy Jun 17, 2026 Jun 8, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.
CVE-2022-1421 12code 1Discy Jun 17, 2026 Jun 8, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack
CVE-2020-36534 1Easyiicms 1Easyiicms Jun 17, 2026 Jun 7, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability was found in easyii CMS. It has been classified as problematic. Affected is an unknown function of the file /admin/sign/out. The manipulation leads to cross site request forgery. It is possible to launch...Show more A vulnerability was found in easyii CMS. It has been classified as problematic. Affected is an unknown function of the file /admin/sign/out. The manipulation leads to cross site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2022-29735 1Deltacontrols 1Entelitouch Firmware Jun 17, 2026 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 allows attackers to execute arbitrary commands via a crafted HTTP request.
CVE-2022-29647 1Mingsoft 1Mcms Jun 17, 2026 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
CVE-2021-36890 1Supsystic 1Social Share Buttons Jun 17, 2026 Jun 2, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.
CVE-2020-20971 1Pbootcms 1Pbootcms Jun 17, 2026 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.
CVE-2022-31000 1Nebulab 1Solidus Jun 17, 2026 Jun 1, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to ch...Show more solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.Show less
CVE-2022-22361 1Ibm 2Business Automation Workflow Business Process Manager Jun 17, 2026 May 31, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1...Show more IBM Business Automation Workflow traditional 21.0.1 through 21.0.3, 20.0.0.1 through 20.0.0.2, 19.0.0.1 through 19.0.0.3, 18.0.0.0 through 18.0.0.1, IBM Business Automation Workflow containers V21.0.1 - V21.0.3 20.0.0.1 through 20.0.0.2, IBM Business Process Manager 8.6.0.0 through 8.6.0.201803, and 8.5.0.0 through 8.5.0.201706 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.Show less
CVE-2022-1611 1Bulk Page Creator Project 1Bulk Page Creator Jun 17, 2026 May 30, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF.
CVE-2022-1589 1Wpexperts 1All In One Login Jun 17, 2026 May 30, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings....Show more The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vectorShow less
CVE-2022-1203 1Content Mask Project 1Content Mask Jun 17, 2026 May 30, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result,...Show more The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog optionsShow less
CVE-2022-0642 1Jivochat 1Jivochat Jun 17, 2026 May 30, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulne...Show more The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.Show less
CVE-2021-34360 1Qnap 1Nas Proxy Server Jun 17, 2026 May 26, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed thi...Show more A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and laterShow less
CVE-2022-29002 1Xuxueli 1Xxl Job Jun 17, 2026 May 23, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.
CVE-2022-30014 1Simple Food Website Project 1Simple Food Website Jun 17, 2026 May 23, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.

Previous 1...286287288...468 Next