A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).
Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through <= 1.0.3.
Cross Site Request Forgery (CSRF) vulnerability in FlyCms 1.0 allows attackers to add arbitrary administrator accounts via system/admin/admin_save.
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Insufficient CSRF Protection OVE-20230524-0008.
Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5.
IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158116.
Cross-Site Request Forgery (CSRF) vulnerability in ClickWhale ClickWhale clickwhale allows Cross Site Request Forgery.This issue affects ClickWhale: from n/a through <= 2.4.3.
In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site Request Forgery (CSRF). By luring an authenticated user to click on a link, an attacker can create a new user role with admin privileges and attacker-controlled credentials, allowing them to take over the application.
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add an administrator account.
Cross-Site Request Forgery (CSRF) vulnerability in Forge12 Interactive GmbH F12-Profiler f12-profiler allows Cross Site Request Forgery.This issue affects F12-Profiler: from n/a through <= 1.3.9.
HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
Cross-Site Request Forgery (CSRF) vulnerability in Brizy Brizy Pro allows Cross Site Request Forgery.This issue affects Brizy Pro: from n/a through 2.6.1.
Certain NETGEAR devices are affected by CSRF. This affects GS716Tv3 before 6.3.1.36 and GS724Tv4 before 6.3.1.36.
The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks
KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page.
The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.
The WP-Orphanage Extended plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the wporphanageex_menu_settings() function. This makes it possible for unauthenticated attackers to escalate the privileges of all orphan accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.)
The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request.
The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Gibbon before 29.0.00 allows CSRF.
Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation, by embedding malicious requests in external content. The lack of CSRF protections allows exploitation via crafted requests.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box popup-box allows Cross Site Request Forgery.This issue affects Popup Box: from n/a through <= 3.2.4.
An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Side Menu Lite side-menu-lite allows Cross Site Request Forgery.This issue affects Side Menu Lite: from n/a through <= 5.3.1.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box counter-box allows Cross Site Request Forgery.This issue affects Counter Box: from n/a through <= 2.0.5.
Cross-Site Request Forgery (CSRF) vulnerability in cmsMinds Pay with Contact Form 7 pay-with-contact-form-7 allows Cross Site Request Forgery.This issue affects Pay with Contact Form 7: from n/a through <= 1.0.4.
JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/div/delete.
BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF).
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Modal Window modal-window allows Cross Site Request Forgery.This issue affects Modal Window: from n/a through <= 6.1.4.
Cross-Site Request Forgery (CSRF) vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP Go Maps: from n/a through <= 9.0.40.
Certain NETGEAR devices are affected by CSRF. This affects D3600 before 1.0.0.72, D6000 before 1.0.0.72, EX3700 before 1.0.0.70, EX3800 before 1.0.0.70, EX6000 before 1.0.0.30, EX6100 before 1.0.2.24, EX6120 before 1.0.0.40, EX6130 before 1.0.0.22, EX6150v1 before 1.0.0.42, EX6200 before 1.0.3.88, EX7000 before 1.0.0.66, and WN2500RPv2 before 1.0.1.54.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator – easily Button Builder button-generation allows Cross Site Request Forgery.This issue affects Button Generator – easily Button Builder: from n/a through <= 3.1.1.
Cross-Site Request Forgery (CSRF) vulnerability in Slava Abakumov BuddyPress Groups Extras buddypress-groups-extras allows Cross Site Request Forgery.This issue affects BuddyPress Groups Extras: from n/a through <= 3.6.10.
The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check wp-spell-check allows Cross Site Request Forgery.This issue affects WP Spell Check: from n/a through <= 9.21.
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
Cross-Site Request Forgery (CSRF) vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Cross Site Request Forgery.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.92.0.
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Cross Site Request Forgery.This issue affects Radius Blocks: from n/a through <= 2.1.2.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Herd Effects mwp-herd-effect allows Cross Site Request Forgery.This issue affects Herd Effects: from n/a through <= 6.2.1.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Bubble Menu – circle floating menu bubble-menu allows Cross Site Request Forgery.This issue affects Bubble Menu – circle floating menu: from n/a through <= 4.0.2.
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Sticky Buttons sticky-buttons allows Cross Site Request Forgery.This issue affects Sticky Buttons: from n/a through <= 4.1.1.
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
Cross-Site Request Forgery (CSRF) vulnerability in StellarWP The Events Calendar the-events-calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through <= 6.7.0.
Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Job Board Manager job-board-manager allows Cross Site Request Forgery.This issue affects Job Board Manager: from n/a through <= 2.1.59.