Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions.
The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon by Supsystic plugin <= 1.7.10 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.
The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. One consequence of this is stored XSS.
The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-31269 appears to be a duplicate of this issue.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Slider by Supsystic plugin <= 1.8.5 versions.
The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.
The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Ultimate Maps by Supsystic.This issue affects Ultimate Maps by Supsystic: from n/a through 1.2.16.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Digital Publications by Supsystic.This issue affects Digital Publications by Supsystic: from n/a through 1.7.7.
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps.This issue affects Easy Google Maps: from n/a through 1.11.11.
Cross Site Request Forgery (CSRF) vulnerability in MooSocial v.3.1.8 allows a remote attacker to execute arbitrary code and obtain sensitive information via the admin Password Change Function.
A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has frs_save CSRF with resultant stored XSS.
The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.
Cross-Site Request Forgery (CSRF) vulnerability in Moriyan Jay WP Site Protector plugin <= 2.0 versions.
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
The wp-d3 plugin before 2.4.1 for WordPress has CSRF.
Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge.
Cross-Site Request Forgery (CSRF) vulnerability in Kvvaradha Kv TinyMCE Editor Add Fonts plugin <= 1.1 versions.
The kento-post-view-counter plugin through 2.8 for WordPress has wp-admin/admin.php?page=kentopvc_settings CSRF.
An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web site for account takeover attacks.
An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI.
The wp-database-backup plugin before 4.3.3 for WordPress has CSRF.
A Cross-Site Request Forgery (CSRF) vulnerability in edit_user.php in OSWAPP Warehouse Inventory System (aka OSWA-INV) through 2020-08-10 allows remote attackers to change the admin's password after an authenticated admin visits a third-party site.
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.
HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.
Cross-Site Request Forgery (CSRF) vulnerability in Fla-shop.Com Interactive World Map plugin <= 3.2.0 versions.
A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea GateManager allows phishing attacker to issue get request in logged in user session.
Cross-Site Request Forgery (CSRF) vulnerability in Manish Kumar Agarwal Change Table Prefix change-table-prefix allows Cross Site Request Forgery.This issue affects Change Table Prefix: from n/a through <= 2.0.
Cross-Site Request Forgery (CSRF) vulnerability in Dinesh Karki Block Plugin Update plugin <= 3.3 versions.
Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint.
Cross-Site Request Forgery (CSRF) vulnerability in GoodBarber plugin <= 1.0.22 versions.
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user. In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Cross-Site Request Forgery (CSRF) vulnerability in Keywordrush Content Egg plugin <= 5.4.0 on WordPress.
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Jeesns 1.4.2 contains a cross-site request forgery (CSRF) which allows attackers to escalate privileges and perform sensitive program operations.
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.