The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon by Supsystic plugin <= 1.7.10 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Slider by Supsystic plugin <= 1.8.5 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.
The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.
The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Contact Form by Supsystic plugin <= 1.7.27 versions.
The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions.
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-31269 appears to be a duplicate of this issue.
The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. One consequence of this is stored XSS.
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes GDPR Compliance & Cookie Consent plugin <= 1.2 versions.
Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates plugin <= 3.1.20 versions.
Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Cart All In One For WooCommerce plugin <= 1.1.10 leading to cart modification.
The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 leading to galleries hierarchy change, included plugin deactivate & activate.
A vulnerability classified as problematic has been found in PHPGurukul Teacher Subject Allocation Management System 1.0. Affected is an unknown function of the file /admin/course.php of the component Delete Course Handler. The manipulation of the argument delid leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247896.
Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Import External Images plugin <= 1.4 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin <= 5.2.3 leads to plugin settings change.
Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro Appointments Booking Calendar Plugin plugin <= 1.1.4 versions.
Cross-Site Request Forgery (CSRF) vulnerability in DevsCred Exclusive Addons Elementor plugin <= 2.6.1 versions.
Cross-Site Request Forgery (CSRF) vulnerability in XootiX Side Cart Woocommerce (Ajax) < 2.1 versions.
The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces.
The Mautic Integration for WooCommerce WordPress plugin before 1.0.3 does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, allowing attackers to make a logged in admin change arbitrary blog options via a CSRF attack.
A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.
Cross-site request forgery (CSRF) vulnerability in the Admin portlet in Liferay Portal before 4.4.0 allows remote authenticated users to perform unspecified actions as unspecified other authenticated users via the Shutdown message.
Cross-Site Request Forgery (CSRF) vulnerability in Mercado Pago Mercado Pago payments for WooCommerce plugin <= 6.3.1.
The Intuitive Custom Post Order WordPress plugin before 3.1.4 lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack
Cross-Site Request Forgery (CSRF) vulnerability in Paramveer Singh for Arete IT Private Limited Activity Reactions For Buddypress plugin <= 1.0.22 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Custom Order Numbers for WooCommerce plugin <= 1.4.0 versions.
The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible for unauthenticated attackers to reset the plugin options to a default state via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
IBM Security Guardium Insights 2.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 174406.
Cross-Site Request Forgery (CSRF) vulnerability in WebMat Flexible Elementor Panel plugin <= 2.3.8 versions.
Gadu-Gadu does not properly perform protocol handling, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and add arbitrary user accounts or cause a denial of service as administrators via an unspecified "crafted link," possibly related to the gg protocol.
The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehicles_cfmw_d_vehicle, contacts_cfmw_d_contact, suppliers_cfmw_d_supplier, receipts_cfmw_d_receipt, positions_cfmw_d_position, catalogs_cfmw_d_article, stock_cfmw_d_item, and settings_cfmw_d_catalog. None of these handlers call check_ajax_referer() or wp_verify_nonce(), nor do they perform any capability checks via current_user_can(). This makes it possible for unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, or entire supplier catalogs via a forged request, provided they can trick a logged-in user into performing an action such as clicking a link to a malicious page.
Cross-site request forgery (CSRF) vulnerability in 1024 CMS 1.2.5 allows remote attackers to perform some actions as administrators, as demonstrated by (1) an unspecified action that creates a file containing PHP code and (2) unspecified use of the forum component. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration.
Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request.
Cross-Site Request Forgery (CSRF) vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.