Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,360)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-18326 1Intelliants 1Subrion Cms Jun 17, 2026 Mar 4, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victi...Show more Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.Show less
CVE-2021-44321 1Mini Inventory And Sales Management System Project 1Mini Inventory And Sales Management System Jun 17, 2026 Mar 4, 2022 N/A· v4 5.0 MEDIUM· v3 4.3 MEDIUM· v2 Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious...Show more Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items.Show less
CVE-2022-23052 1Petereport Project 1Petereport Jun 17, 2026 Mar 3, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.
CVE-2022-24712 1Codeigniter 1Codeigniter Jun 17, 2026 Feb 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protecti...Show more CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. If auto-routing is enabled, check the request method in the controller method before processing. If auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes; or check the request method in the controller method before processing.Show less
CVE-2022-0345 1Madewithfuel 1Customize Wordpress Emails And Alerts Jun 17, 2026 Feb 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-ma...Show more The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).Show less
CVE-2022-0328 1Simple Membership Plugin 1Simple Membership Jun 17, 2026 Feb 28, 2022 N/A· v4 4.7 MEDIUM· v3 4.3 MEDIUM· v2 The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
CVE-2021-25081 1Wpgooglemap 1Wp Google Map Jun 17, 2026 Feb 28, 2022 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin...Show more The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attackShow less
CVE-2021-25011 1Wpgooglemap 1Wp Google Map Jun 17, 2026 Feb 28, 2022 N/A· v4 5.7 MEDIUM· v3 3.5 LOW· v2 The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitra...Show more The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.Show less
CVE-2021-25010 1Postsnippets 1Post Snippets Jun 17, 2026 Feb 28, 2022 N/A· v4 9.6 CRITICAL· v3 6.8 MEDIUM· v2 The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and e...Show more The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issuesShow less
CVE-2021-24913 1Infornweb 1Logo Showcase With Slick Slider Jun 17, 2026 Feb 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, descript...Show more The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.Show less
CVE-2021-24823 1Schiocco 1Support Board Jun 17, 2026 Feb 28, 2022 N/A· v4 8.1 HIGH· v3 4.9 MEDIUM· v2 The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an...Show more The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary filesShow less
CVE-2021-24803 1Core Tweaks Wp Setup Project 1Core Tweaks Wp Setup Jun 17, 2026 Feb 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an a...Show more The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacksShow less
CVE-2021-24730 1Infornweb 1Logo Showcase With Slick Slider Jun 17, 2026 Feb 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change...Show more The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.Show less
CVE-2021-24704 1Orange Form Project 1Orange Form Jun 17, 2026 Feb 28, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page th...Show more In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for exampleShow less
CVE-2021-24688 1Orange Form Project 1Orange Form Jun 17, 2026 Feb 28, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated us...Show more The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)Show less
CVE-2022-24342 1Jetbrains 1Teamcity Jun 17, 2026 Feb 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible.
CVE-2022-24947 1Apache 1Jspwiki Jun 17, 2026 Feb 25, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.
CVE-2022-21179 1Ec Cube 1E Mail Newsletter Management Jun 17, 2026 Feb 24, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated at...Show more Cross-site request forgery (CSRF) vulnerability in EC-CUBE plugin 'Mail Magazine Management Plugin' ver4.0.0 to 4.1.1 (for EC-CUBE 4 series) and ver1.0.0 to 1.0.4 (for EC-CUBE 3 series) allows a remote unauthenticated attacker to hijack the authentication of an administrator via a specially crafted page, and Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.Show less
CVE-2021-4030 1Zyxel 2Nbg6816 Firmware Nbg6817 Firmware Jun 17, 2026 Feb 24, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website wi...Show more A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts.Show less
CVE-2022-25599 1Spiffyplugins 1Spiffy Calendar Jun 17, 2026 Feb 21, 2022 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion was discovered in Spiffy Calendar WordPress plugin (versions <= 4.9.0).

Previous 1...293294295...468 Next