Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,359)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-24466 1Verse O Matic Project 1Verse O Matic Jun 17, 2026 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the se...Show more The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issuesShow less
CVE-2021-24411 1Social Tape Project 1Social Tape Jun 17, 2026 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripti...Show more The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attackShow less
CVE-2021-24410 1Telugu Bible Verse Daily Project 1Telugu Bible Verse Daily Jun 17, 2026 Aug 16, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers t...Show more The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issuesShow less
CVE-2021-24380 1Shantz Wordpress Qotd Project 1Shantz Wordpress Qotd Jun 17, 2026 Aug 16, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.
CVE-2020-22403 1Express Cart Project 1Express Cart Jun 17, 2026 Aug 12, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts.
CVE-2020-20989 1Domainmod 1Domainmod Jun 17, 2026 Aug 12, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) in /admin/maintenance/ of Domainmod 4.13 allows attackers to arbitrarily delete logs.
CVE-2020-18464 1Aikcms 1Aikcms Jun 17, 2026 Aug 12, 2021 N/A· v4 3.5 LOW· v3 3.5 LOW· v2 Cross Site Request Forgery (CSRF) vulnerability in AikCms 2.0.0 in video_list.php, which can let a malicious user delete movie information.
CVE-2020-18463 1Aikcms 1Aikcms Jun 17, 2026 Aug 12, 2021 N/A· v4 2.4 LOW· v3 3.5 LOW· v2 Cross Site Request Forgery (CSRF) vulnerability exists in v2.0.0 in video_list.php, which can let a malicious user delete a video message.
CVE-2020-18460 1711cms 1711cms Jun 17, 2026 Aug 12, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in 711cms v1.0.7 that can add an admin account via admin.php?c=Admin&m=content.
CVE-2020-18458 1Damicms 1Damicms Jun 17, 2026 Aug 12, 2021 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in DamiCMS v6.0.6 that can add an admin account via admin.php?s=/Admin/doadd.
CVE-2020-18457 1Bycms Project 1Bycms Jun 17, 2026 Aug 12, 2021 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability exists in bycms v1.3.0 that can add an admin account via admin.php/ucenter/add.html.
CVE-2020-18454 1Bycms Project 1Bycms Jun 17, 2026 Aug 12, 2021 N/A· v4 6.8 MEDIUM· v3 6.0 MEDIUM· v2 Cross Site Request Forgery (CSRF) vulnerability in bycms v1.3 via admin.php/systems/index/module_id/70/group_id/1.html.
CVE-2020-25562 1Sapphireims 1Sapphireims Jun 17, 2026 Aug 11, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 In SapphireIMS 5.0, there is no CSRF token present in the entire application. This can lead to CSRF vulnerabilities in critical application forms like account resent.
CVE-2021-32122 1Netgear 4Ex3700 Firmware Ex3800 FirmwareEx6120 Firmware+1 more Jun 17, 2026 Aug 11, 2021 N/A· v4 8.0 HIGH· v3 5.4 MEDIUM· v2 Certain NETGEAR devices are affected by CSRF. This affects EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, and EX6130 before 1.0.0.44.
CVE-2021-29400 1Netexplorer 1My Smtp Contact Jun 17, 2026 Aug 10, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authe...Show more A cross-site request forgery (CSRF) vulnerability in the My SMTP Contact v1.1.1 plugin for GetSimple CMS allows remote attackers to change the SMTP settings of the contact forms for the webpages of the CMS after an authenticated admin visits a malicious third-party site.Show less
CVE-2021-37366 1Ctparental Project 1Ctparental Jun 17, 2026 Aug 10, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CTparental before 4.45.03 is vulnerable to cross-site request forgery (CSRF) in the CTparental admin panel. By combining CSRF with XSS, an attacker can trick the administrator into clicking a link that cancels the filter...Show more CTparental before 4.45.03 is vulnerable to cross-site request forgery (CSRF) in the CTparental admin panel. By combining CSRF with XSS, an attacker can trick the administrator into clicking a link that cancels the filtering for all standard users.Show less
CVE-2021-34661 1Verygoodplugins 1Wp Fusion Jun 17, 2026 Aug 9, 2021 N/A· v4 4.7 MEDIUM· v3 4.3 MEDIUM· v2 The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all log...Show more The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.Show less
CVE-2021-24500 1Amentotech 1Workreap Jun 17, 2026 Aug 9, 2021 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logge...Show more Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.Show less
CVE-2021-24467 1Leaflet Map Project 1Leaflet Map Jun 17, 2026 Aug 9, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This co...Show more The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the pluginShow less
CVE-2020-21358 1Wagecms Project 1Wage Cms Jun 17, 2026 Aug 6, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A cross site request forgery (CSRF) in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users.

Previous 1...310311312...468 Next