The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack
The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.
The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well
The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CXUUCMS V3 3.1 has a CSRF vulnerability that can add an administrator account via admin.php?c=adminuser&a=add.
The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status (enabled, disabled) and more.
The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4.
An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html.
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.
bloofoxCMS 0.5.2.1 is infected with a CSRF Attack that leads to an attacker editing any file content (Locally/Remotely).
CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF)
A vulnerability in the web-based management interface of Cisco Mobility Express Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user with an active session on an affected device to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions, including modifying the configuration, with the privilege level of the user.
Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/livehelperchat prior to 2.0.
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion.
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user.
A vulnerability in the web-based interface of Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to click a malicious link. A successful exploit could allow the attacker to send arbitrary requests that could change the password of a targeted user. An attacker could then take unauthorized actions on behalf of the targeted user.
In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted.
iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.
mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added
Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.
Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0.
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.
FUEL CMS 1.4.13 contains a cross-site request forgery (CSRF) vulnerability that can delete a page via a post ID to /pages/delete/3.
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
Cross Site Request Forgery (CSRF) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 . The CSRF token is not being validated when the request is sent as a GET method. This results in an unauthorized change in the user's email ID, which can later be used to reset the password. The new password will be sent to a modified email ID.
The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allows remote attackers to create new projects and abort an executing external system import via various Cross-site request forgery (CSRF) vulnerabilities.
Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items.
A vulnerability was found in XYZScripts Contact Form Manager Plugin. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.