Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,360)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-25778 1Secomea 4Gatemanager 4250 Firmware Gatemanager 4260 FirmwareGatemanager 8250 Firmware+1 more Jun 17, 2026 May 4, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea GateManager allows phishing attacker to issue get request in logged in user session.
CVE-2022-0916 1Logitech 1Options Jun 17, 2026 May 3, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
CVE-2022-0952 1Sitemap Project 1Sitemap Jun 17, 2026 May 2, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a re...Show more The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.Show less
CVE-2022-0191 1Acnam 1Ad Invalid Click Protector Jun 17, 2026 May 2, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
CVE-2022-23904 1Rainworx 1Auctionworx Jun 17, 2026 May 2, 2022 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vuln...Show more Rainworx Auctionworx < 3.1R2 is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows an authenticated user to upgrade his account to admin and gain access to the auctionworx admin control panel. This vulnerability affects AuctionWorx Enterprise and AuctionWorx: Events Edition.Show less
CVE-2022-29451 1Rarathemes 1Rara One Click Demo Import Jun 17, 2026 Apr 29, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files i...Show more Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin <= 1.2.9 on WordPress allows attackers to trick logged-in admin users into uploading dangerous files into /wp-content/uploads/ directory.Show less
CVE-2022-29414 1Wpkube 1Subscribe To Comments Reloaded Jun 17, 2026 Apr 29, 2022 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system...Show more Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.Show less
CVE-2021-43937 1Smartptt 1Scada Server Jun 17, 2026 Apr 29, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Elcomplus SmartPTT SCADA Server web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CVE-2022-29905 1Mediawiki 1Mediawiki Jun 17, 2026 Apr 29, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.
CVE-2022-29903 1Mediawiki 1Mediawiki Jun 17, 2026 Apr 29, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST reques...Show more The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.Show less
CVE-2022-29555 1Northern.tech 1Mender Jun 17, 2026 Apr 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking.
CVE-2022-29413 1Hermit Project 1Hermit Jun 17, 2026 Apr 28, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit 音乐播放器 plugin <= 3.1.6 on WordPress via &title parameter.
CVE-2022-29412 1Hermit Project 1Hermit Jun 17, 2026 Apr 28, 2022 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit 音乐播放器 plugin <= 3.1.6 on WordPress allow attackers to delete cache, delete a source, create source.
CVE-2022-28892 1Mahara 1Mahara Jun 17, 2026 Apr 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable.
CVE-2022-27860 1Footer Text Project 1Footer Text Jun 17, 2026 Apr 28, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress.
CVE-2022-24879 1Shopware 1Shopware Jun 17, 2026 Apr 28, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not...Show more Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.Show less
CVE-2022-27375 1Tenda 1Ax12 Firmware Jun 17, 2026 Apr 25, 2022 N/A· v4 6.5 MEDIUM· v3 7.1 HIGH· v2 Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_422168 at /goform/WifiExtraSet.
CVE-2022-27374 1Tenda 1Ax12 Firmware Jun 17, 2026 Apr 25, 2022 N/A· v4 6.5 MEDIUM· v3 7.1 HIGH· v2 Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_42E328 at /goform/SysToolReboot.
CVE-2022-1092 1Wpexperts 1Mycred Jun 17, 2026 Apr 25, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address pre...Show more The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blogShow less
CVE-2022-0634 1Caseproof 1Thirstyaffiliates Affiliate Link Manager Jun 17, 2026 Apr 25, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external UR...Show more The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.Show less

Previous 1...288289290...468 Next