Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-36886 1Ciphercoin 1Contact Form 7 Database Addon Jun 17, 2026 Dec 22, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).
CVE-2021-43158 1Projectworlds 1Online Shopping System Jun 17, 2026 Dec 22, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart.
CVE-2021-43156 1Projectworlds 1Online Book Store Project In Php Jun 17, 2026 Dec 22, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book.
CVE-2021-24981 1Wpwax 1Directorist Jun 17, 2026 Dec 21, 2021 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.
CVE-2021-43846 1Nebulab 1Solidus Jun 17, 2026 Dec 20, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a...Show more `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.Show less
CVE-2021-36887 1Tarteaucitron.js Cookies Legislation & Gdpr Project 1Tarteaucitron.js Cookies Legislation & Gdpr Jun 17, 2026 Dec 20, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitron...Show more Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass".Show less
CVE-2021-4131 1Livehelperchat 1Live Helper Chat Jun 17, 2026 Dec 18, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-4130 1Snipeitapp 1Snipe It Jun 17, 2026 Dec 18, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-26800 1User Management System In Php Stored Procedure Project 1User Management System In Php Stored Procedure Jun 17, 2026 Dec 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.
CVE-2021-41260 1Galette 1Galette Jun 17, 2026 Dec 16, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrad...Show more Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.Show less
CVE-2021-4123 1Livehelperchat 1Live Helper Chat Jun 17, 2026 Dec 16, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
CVE-2021-45017 1Catfish Cms 1Catfish Cms Jun 17, 2026 Dec 15, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url a...Show more Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column.Show less
CVE-2021-44942 1Glfusion 1Glfusion Jun 17, 2026 Dec 14, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker...Show more glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.Show less
CVE-2021-24945 1Likebtn 1Like Button Rating Jun 17, 2026 Dec 13, 2021 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to ge...Show more The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.Show less
CVE-2021-24922 1Fatcatapps 1Pixel Cat Jun 17, 2026 Dec 13, 2021 N/A· v4 9.0 CRITICAL· v3 6.0 MEDIUM· v2 The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and per...Show more The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacksShow less
CVE-2021-24836 1Storeapps 1Temporary Login Without Password Jun 17, 2026 Dec 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them
CVE-2021-24818 1Wp Limits Project 1Wp Limits Jun 17, 2026 Dec 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values
CVE-2021-24795 1Phoeniixx 1Filter Portfolio Gallery Jun 17, 2026 Dec 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.
CVE-2021-24790 1Contact Form Advanced Database Project 1Contact Form Advanced Database Jun 17, 2026 Dec 13, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, whic...Show more The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.Show less
CVE-2021-24784 1Wp Admin Logo Changer Project 1Wp Admin Logo Changer Jun 17, 2026 Dec 13, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.

Previous 1...299300301...468 Next