Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-25095

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-17 Dec, 2020 | 02:04
Updated At-04 Aug, 2024 | 15:26
Rejected At-
Credits

LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:17 Dec, 2020 | 02:04
Updated At:04 Aug, 2024 | 15:26
Rejected At:
▼CVE Numbering Authority (CNA)

LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/
x_refsource_MISC
Hyperlink: https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/
x_refsource_MISC
x_transferred
Hyperlink: https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:17 Dec, 2020 | 03:15
Updated At:21 Dec, 2020 | 14:31

LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.06.8MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CPE Matches

logrhythm
logrhythm
>>platform_manager>>7.4.9
cpe:2.3:a:logrhythm:platform_manager:7.4.9:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/cve@mitre.org
Third Party Advisory
Hyperlink: https://cybercx.com.au/blog/2020/12/15/logrhythm-zero-days/
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

4144Records found

CVE-2016-0863
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.45%
||
7 Day CHG~0.00%
Published-13 Feb, 2016 | 02:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software EMS before 5.1, and 4.1.0 Build 16, allows remote attackers to hijack the authentication of arbitrary users.

Action-Not Available
Vendor-tollgraden/a
Product-smartgrid_lighthouse_sensor_management_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-25932
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 19.68%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 13:12
Updated-11 May, 2026 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Change Table Prefix plugin <= 2.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Manish Kumar Agarwal Change Table Prefix change-table-prefix allows Cross Site Request Forgery.This issue affects Change Table Prefix: from n/a through <= 2.0.

Action-Not Available
Vendor-youngtechleadsManish Kumar Agarwal
Product-change_table_prefixChange Table Prefix
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44261
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.38%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 09:04
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Block Plugin Update Plugin <= 3.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Dinesh Karki Block Plugin Update plugin <= 3.3 versions.

Action-Not Available
Vendor-dineshkarkiDinesh Karki
Product-block_plugin_updateBlock Plugin Update
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-23595
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.41% / 32.62%
||
7 Day CHG~0.00%
Published-11 Aug, 2023 | 00:00
Updated-09 Oct, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint.

Action-Not Available
Vendor-yzmcmsn/a
Product-yzmcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45107
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.77%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 12:00
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress GoodBarber Plugin <= 1.0.22 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in GoodBarber plugin <= 1.0.22 versions.

Action-Not Available
Vendor-goodbarberGoodBarber
Product-goodbarberGoodBarber
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8412
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:31
Updated-26 May, 2026 | 18:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8426
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-7.5||HIGH
EPSS-0.17% / 6.73%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 20:22
Updated-26 May, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to one-request RCE via package overwrite

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user.   In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2022-25952
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.28% / 20.17%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 19:35
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Content Egg plugin <= 5.4.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Keywordrush Content Egg plugin <= 5.4.0 on WordPress.

Action-Not Available
Vendor-keywordrushKeywordrush
Product-content_eggContent Egg (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-9365
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.47% / 37.10%
||
7 Day CHG~0.00%
Published-02 Jun, 2017 | 05:04
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.

Action-Not Available
Vendor-bigtreecmsn/a
Product-bigtree_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8410
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.14% / 3.88%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:32
Updated-26 May, 2026 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8432
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:26
Updated-26 May, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-0210
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-1.21% / 64.86%
||
7 Day CHG~0.00%
Published-08 Mar, 2018 | 07:00
Updated-02 Dec, 2024 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections on the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. Cisco Bug IDs: CSCvg88291.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-data_center_network_managerCisco Data Center Network Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-16634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.48%
||
7 Day CHG~0.00%
Published-04 Dec, 2018 | 16:00
Updated-05 Aug, 2024 | 10:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pluck v4.7.7 allows CSRF via admin.php?action=settings.

Action-Not Available
Vendor-pluck-cmsn/a
Product-pluckn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-0948
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-8.8||HIGH
EPSS-1.88% / 76.89%
||
7 Day CHG~0.00%
Published-10 Feb, 2016 | 20:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Adobe Connect before 9.5.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-connectn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-19280
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.85% / 53.53%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 22:10
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.

Action-Not Available
Vendor-jeesnsn/a
Product-jeesnsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-1000218
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.81% / 52.58%
||
7 Day CHG~0.00%
Published-16 Jun, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.

Action-Not Available
Vendor-n/aElasticsearch BV
Product-kibana_reportingn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8411
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:32
Updated-26 May, 2026 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8414
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:29
Updated-26 May, 2026 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8413
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:30
Updated-26 May, 2026 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45109
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.01%
||
7 Day CHG~0.00%
Published-13 Oct, 2023 | 13:18
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WhitePage Plugin <= 1.1.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in ZAKSTAN WhitePage plugin <= 1.1.5 versions.

Action-Not Available
Vendor-myback.linkZAKSTAN
Product-whitepageWhitePage
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8416
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:28
Updated-26 May, 2026 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45106
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.78%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 14:57
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Urvanov Syntax Highlighter Plugin <= 2.8.33 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Fedor Urvanov, Aram Kocharyan Urvanov Syntax Highlighter plugin <= 2.8.33 versions.

Action-Not Available
Vendor-urvanovFedor Urvanov, Aram Kocharyan
Product-urvanov_syntax_highlighterUrvanov Syntax Highlighter
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8434
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:23
Updated-26 May, 2026 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44476
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.38%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 14:28
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CopyRightPro Plugin <= 2.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Andres Felipe Perea V. CopyRightPro plugin <= 2.1 versions.

Action-Not Available
Vendor-wp-copyrightproAndres Felipe Perea V.
Product-wp-copyrightproCopyRightPro
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-10206
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.24%
||
7 Day CHG~0.00%
Published-03 Mar, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.

Action-Not Available
Vendor-zonemindern/a
Product-zonemindern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8427
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.13% / 2.96%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:27
Updated-26 May, 2026 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44997
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.01%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 07:57
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Forms Puzzle Captcha Plugin <= 4.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Nitin Rathod WP Forms Puzzle Captcha plugin <= 4.1 versions.

Action-Not Available
Vendor-nitinrathodNitin Rathod
Product-wp_forms_puzzle_captchaWP Forms Puzzle Captcha
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44238
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.41%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 09:57
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Remove slug from custom post type Plugin <= 1.0.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Joakim Ling Remove slug from custom post type plugin <= 1.0.3 versions.

Action-Not Available
Vendor-joakimlingJoakim Ling
Product-remove_slug_from_custom_post_typeRemove slug from custom post type
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-20945
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.21%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 20:32
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.

Action-Not Available
Vendor-qibosoftn/a
Product-qibosoftn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20891
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.53% / 41.14%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 20:35
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

Action-Not Available
Vendor-n/aWooCommerce
Product-woocommercen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-9518
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.10%
||
7 Day CHG~0.00%
Published-08 Jun, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMTP hostname and hijack all emails.

Action-Not Available
Vendor-atmailn/a
Product-atmailn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9380
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.82% / 52.69%
||
7 Day CHG~0.00%
Published-30 Aug, 2019 | 12:26
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The photo-gallery plugin before 1.2.42 for WordPress has CSRF.

Action-Not Available
Vendor-n/a10Web (TenWeb, Inc.)
Product-photo_galleryn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9309
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.57%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 15:22
Updated-07 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.

Action-Not Available
Vendor-wepluginsn/a
Product-wp_mapsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44246
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.42%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:00
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shockingly Simple Favicon Plugin <= 1.8.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Matias s Shockingly Simple Favicon plugin <= 1.8.2 versions.

Action-Not Available
Vendor-matiassMatias s
Product-shockingly_simple_faviconShockingly Simple Favicon
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9292
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.61% / 45.02%
||
7 Day CHG~0.00%
Published-08 Aug, 2019 | 20:01
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).

Action-Not Available
Vendor-6kbbsn/a
Product-6kbbsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45058
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.24%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 12:34
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Short URL Plugin <= 1.6.8 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in KaizenCoders Short URL plugin <= 1.6.8 versions.

Action-Not Available
Vendor-kaizencodersKaizenCoders
Product-short_urlShort URL
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-16431
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.84% / 53.48%
||
7 Day CHG~0.00%
Published-04 Sep, 2018 | 00:00
Updated-05 Aug, 2024 | 10:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.

Action-Not Available
Vendor-yfcmfn/a
Product-yfcmfn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-9413
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.78% / 75.50%
||
7 Day CHG~0.00%
Published-25 Jul, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks.

Action-Not Available
Vendor-subsonicn/a
Product-subsonicn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45052
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.77%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 12:28
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Bing Map Pro Plugin < 5.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in dan009 WP Bing Map Pro plugin < 5.0 versions.

Action-Not Available
Vendor-dan009dan009
Product-wp_bing_map_proWP Bing Map Pro
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9322
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.67% / 47.62%
||
7 Day CHG~0.00%
Published-16 Aug, 2019 | 20:19
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.

Action-Not Available
Vendor-erident_custom_login_and_dashboard_projectn/a
Product-erident_custom_login_and_dashboardn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-0295
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-1.04% / 59.95%
||
7 Day CHG~0.00%
Published-28 Feb, 2018 | 17:00
Updated-05 Aug, 2024 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363.

Action-Not Available
Vendor-n/aIBM Corporation
Product-bigfix_platformn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-9517
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.10%
||
7 Day CHG~0.00%
Published-08 Jun, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV.

Action-Not Available
Vendor-atmailn/a
Product-atmailn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9343
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.86%
||
7 Day CHG~0.00%
Published-27 Aug, 2019 | 11:21
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-rollback plugin before 1.2.3 for WordPress has CSRF.

Action-Not Available
Vendor-impressn/a
Product-wp_rollbackn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44232
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.42%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 08:43
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Hide Pages Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Huseyin Berberoglu WP Hide Pages plugin <= 1.0 versions.

Action-Not Available
Vendor-nxsnHuseyin Berberoglu
Product-wp_hide_pagesWP Hide Pages
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45063
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.78%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 12:41
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One Plugin <= 1.1.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in ReCorp AI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One plugin <= 1.1.5 versions.

Action-Not Available
Vendor-rayhan1ReCorp
Product-ai_content_writing_assistantAI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-55741
Matching Score-4
Assigner-309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
ShareView Details
Matching Score-4
Assigner-309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
CVSS Score-8.7||HIGH
EPSS-0.18% / 7.35%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 06:04
Updated-22 Jun, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cotonti CSRF in admin.config.php allows unauthorized configuration changes

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.

Action-Not Available
Vendor-Cotonti
Product-Cotonti
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-57659
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.13% / 3.00%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-26 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Paid Memberships Pro - Add Member From Admin plugin <= 0.7.2 - Cross Site Request Forgery (CSRF) vulnerability

Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.

Action-Not Available
Vendor-Stranger Studios
Product-Paid Memberships Pro - Add Member From Admin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-20691
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-0.46% / 36.67%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 14:26
Updated-05 Aug, 2024 | 02:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by CSRF. This affects D3600 before 1.0.0.72, D6000 before 1.0.0.72, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, EX6000 before 1.0.0.30, EX6100 before 1.0.2.24, EX6120 before 1.0.0.40, EX6130 before 1.0.0.22, EX6150v1 before 1.0.0.42, EX6200 before 1.0.3.88, EX7000 before 1.0.0.66, and WN2500RPv2 before 1.0.1.54.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-ex6130_firmwared6000_firmwareex3800_firmwareex6200ex7000d6000ex6200_firmwareex6150ex3700d3600_firmwareex3800ex6100_firmwareex3700_firmwared3600ex6000wn2500rpwn2500rp_firmwareex7000_firmwareex6120ex6130ex6120_firmwareex6150_firmwareex6000_firmwareex6100n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9233
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.01% / 58.92%
||
7 Day CHG~0.00%
Published-29 Sep, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.

Action-Not Available
Vendor-n/aCodePeople
Product-cp_contact_form_with_paypaln/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9445
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.07% / 60.72%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 03:44
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin-ajax.php in a unitegallery_ajax_action operation.

Action-Not Available
Vendor-unitegalleryn/a
Product-unite_gallery_liten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 82
  • 83
  • Next
Details not found