Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,360)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0398 1Caseproof 1Thirstyaffiliates Affiliate Link Manager Jun 17, 2026 Apr 25, 2022 N/A· v4 5.4 MEDIUM· v3 4.9 MEDIUM· v2 The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to creat...Show more The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary websiteShow less
CVE-2022-0363 1Wpexperts 1Mycred Jun 17, 2026 Apr 25, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycre...Show more The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.Show less
CVE-2021-24805 1Designwall 1Dw Question & Answer Jun 17, 2026 Apr 25, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a qu...Show more The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status.Show less
CVE-2022-27340 1Mingsoft 1Mcms Jun 17, 2026 Apr 22, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 MCMS v5.2.7 contains a Cross-Site Request Forgery (CSRF) via /role/saveOrUpdateRole.do. This vulnerability allows attackers to escalate privileges and modify data.
CVE-2021-38886 2Ibm Netapp 2Cognos Analytics Oncommand Insight Jun 17, 2026 Apr 22, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM...Show more IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 209399.Show less
CVE-2021-32929 1Uffizio 1Gps Tracker Jun 17, 2026 Apr 22, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user.
CVE-2022-20787 1Cisco 1Unified Communications Manager Jun 17, 2026 Apr 21, 2022 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote atta...Show more A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an authenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.Show less
CVE-2022-27629 1Videowhisper 1Micropayments Jun 17, 2026 Apr 20, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication...Show more Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.Show less
CVE-2021-4096 1Radykal 1Fancy Product Designer Jun 17, 2026 Apr 19, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshel...Show more The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.Show less
CVE-2022-28108 1Selenium 1Selenium Grid Jun 17, 2026 Apr 19, 2022 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
CVE-2022-1112 1Autolinks Project 1Autolinks Jun 17, 2026 Apr 18, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting...Show more The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attackShow less
CVE-2022-1020 1Codeastrology 1Woo Product Table Jun 17, 2026 Apr 18, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authe...Show more The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argumentShow less
CVE-2022-0707 1Awesomemotive 1Easy Digital Downloads Jun 17, 2026 Apr 18, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
CVE-2022-23976 1Accesspressthemes 1Access Demo Importer Jun 17, 2026 Apr 18, 2022 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media).
CVE-2022-23975 1Accesspressthemes 1Access Demo Importer Jun 17, 2026 Apr 18, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin.
CVE-2022-27851 1Dineshkarki 1Use Any Font Jun 17, 2026 Apr 15, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in Use Any Font (WordPress plugin) <= 6.1.7 allows an attacker to deactivate the API key.
CVE-2022-27850 1Plugin Planet 1Simple Ajax Chat Jun 17, 2026 Apr 15, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) in Simple Ajax Chat (WordPress plugin) <= 20220115 allows an attacker to clear the chat log or delete a chat message.
CVE-2022-28109 1Selenium 1Selenium Grid Jun 17, 2026 Apr 15, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / S...Show more Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is: Triggered by browsing to to a malicious remote web server. The WebDriver endpoint of Selenium Server (Grid) is vulnerable to DNS rebinding. This can be used to execute arbitrary code on the machine.Show less
CVE-2022-20735 1Cisco 2Catalyst Sd Wan Manager Sd Wan Vmanage Jun 17, 2026 Apr 15, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vul...Show more A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. These actions could include modifying the system configuration and deleting accounts.Show less
CVE-2022-27847 1Yooslider 1Yoo Slider Jun 17, 2026 Apr 13, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to import templates.

Previous 1...289290291...468 Next