Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13758

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-30 Jan, 2025 | 08:21
Updated At-30 Jan, 2025 | 15:06
Rejected At-
Credits

CP Contact Form with PayPal <= 1.3.52 - Cross-Site Request Forgery

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. This is due to missing or incorrect nonce validation on the cp_contact_form_paypal_check_init_actions() function. This makes it possible for unauthenticated attackers to add discount codes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:30 Jan, 2025 | 08:21
Updated At:30 Jan, 2025 | 15:06
Rejected At:
▼CVE Numbering Authority (CNA)
CP Contact Form with PayPal <= 1.3.52 - Cross-Site Request Forgery

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. This is due to missing or incorrect nonce validation on the cp_contact_form_paypal_check_init_actions() function. This makes it possible for unauthenticated attackers to add discount codes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected Products
Vendor
CodePeoplecodepeople
Product
CP Contact Form with PayPal
Default Status
unaffected
Versions
Affected
  • From * through 1.3.52 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Krzysztof Zając
Timeline
EventDate
Disclosed2025-01-29 19:50:11
Event: Disclosed
Date: 2025-01-29 19:50:11
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/495183b6-dc7c-4ff7-bc99-fc05a10d1269?source=cve
N/A
https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/trunk/cp_contactformpp_functions.php#L616
N/A
https://wordpress.org/plugins/cp-contact-form-with-paypal/#developers
N/A
https://plugins.trac.wordpress.org/changeset/3230873/
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/495183b6-dc7c-4ff7-bc99-fc05a10d1269?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/trunk/cp_contactformpp_functions.php#L616
Resource: N/A
Hyperlink: https://wordpress.org/plugins/cp-contact-form-with-paypal/#developers
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3230873/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:30 Jan, 2025 | 09:15
Updated At:31 Jan, 2025 | 20:28

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. This is due to missing or incorrect nonce validation on the cp_contact_form_paypal_check_init_actions() function. This makes it possible for unauthenticated attackers to add discount codes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CPE Matches
CodePeople
dwbooster
>>cp_contact_form>>Versions before 1.3.53(exclusive)
cpe:2.3:a:dwbooster:cp_contact_form:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarysecurity@wordfence.com
CWE ID: CWE-352
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/trunk/cp_contactformpp_functions.php#L616security@wordfence.com
Product
https://plugins.trac.wordpress.org/changeset/3230873/security@wordfence.com
Patch
https://wordpress.org/plugins/cp-contact-form-with-paypal/#developerssecurity@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/495183b6-dc7c-4ff7-bc99-fc05a10d1269?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/trunk/cp_contactformpp_functions.php#L616
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://plugins.trac.wordpress.org/changeset/3230873/
Source: security@wordfence.com
Resource:
Patch
Hyperlink: https://wordpress.org/plugins/cp-contact-form-with-paypal/#developers
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/495183b6-dc7c-4ff7-bc99-fc05a10d1269?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

514Records found
CVE-2022-3427
Matching Score-8
Assigner-Wordfence
ShareView Details
Matching Score-8
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.63% / 69.27%
||
7 Day CHG~0.00%
Published-15 Dec, 2022 | 04:02
Updated-23 Jan, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.56. This is due to missing or incorrect nonce validation on its corner_ad_settings_page function. This makes it possible for unauthenticated attackers to trigger the deletion of ads via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-CodePeople
Product-corner_adCorner Ad
CVE-2015-9233
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.23% / 45.48%
||
7 Day CHG~0.00%
Published-29 Sep, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has CSRF with resultant XSS, related to cp_contactformpp.php and cp_contactformpp_admin_int_list.inc.php.

Action-Not Available
Vendor-n/aCodePeople
Product-cp_contact_form_with_paypaln/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-20964
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.90%
||
7 Day CHG~0.00%
Published-13 Aug, 2019 | 16:46
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.

Action-Not Available
Vendor-n/aCodePeople
Product-contact_form_emailn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49332
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.41%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-06 Jun, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Time Slots Booking Form <= 1.2.30 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in codepeople WP Time Slots Booking Form allows Cross Site Request Forgery. This issue affects WP Time Slots Booking Form: from n/a through 1.2.30.

Action-Not Available
Vendor-CodePeople
Product-WP Time Slots Booking Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49291
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.93%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 12:53
Updated-02 Jul, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Calculated Fields Form <= 5.3.58 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in codepeople Calculated Fields Form allows Cross Site Request Forgery. This issue affects Calculated Fields Form: from n/a through 5.3.58.

Action-Not Available
Vendor-CodePeople
Product-calculated_fields_formCalculated Fields Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0856
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.21% / 43.33%
||
7 Day CHG~0.00%
Published-20 Mar, 2024 | 05:00
Updated-05 May, 2025 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking Calendar < 1.3.83 - CSRF appointment scheduling

The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.

Action-Not Available
Vendor-UnknownCodePeople
Product-appointment_booking_calendarAppointment Booking Calendarappointment_booking_calendar
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-46241
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-8.2||HIGH
EPSS-0.03% / 7.01%
||
7 Day CHG+0.01%
Published-22 Apr, 2025 | 09:53
Updated-29 Apr, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Appointment Booking Calendar plugin <= 1.3.92 - CSRF to SQL Injection vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar allows SQL Injection. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.

Action-Not Available
Vendor-CodePeople
Product-appointment_booking_calendarAppointment Booking Calendar
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-2846
Matching Score-6
Assigner-VulDB
ShareView Details
Matching Score-6
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-1.26% / 78.55%
||
7 Day CHG~0.00%
Published-16 Aug, 2022 | 00:00
Updated-15 Apr, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.

Action-Not Available
Vendor-UnknownCodePeople
Product-calendar_event_multi_viewCalendar Event Multi View
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41732
Matching Score-6
Assigner-Patchstack
ShareView Details
Matching Score-6
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 15.32%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 14:44
Updated-19 Sep, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CP Blocks Plugin <= 1.0.20 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in CodePeople CP Blocks plugin <= 1.0.20 versions.

Action-Not Available
Vendor-CodePeople
Product-cp_blocksCP Blocks
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-3632
Matching Score-6
Assigner-WPScan
ShareView Details
Matching Score-6
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.12% / 31.64%
||
7 Day CHG+0.07%
Published-13 Jul, 2024 | 06:00
Updated-15 May, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Image Gallery < 1.0.19 - Update/Delete Google API Key via CSRF

The Smart Image Gallery WordPress plugin before 1.0.19 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-UnknownCodePeople
Product-smart_image_gallerySmart Image Gallerysmart_image_gallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-38721
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 41.26%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 14:35
Updated-04 Aug, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FUEL CMS 1.5.0 login.php contains a cross-site request forgery (CSRF) vulnerability

Action-Not Available
Vendor-thedaylightstudion/a
Product-fuel_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-21407
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8||HIGH
EPSS-0.15% / 36.46%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 15:15
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Portal : the CSRF token isn't validated

Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0.

Action-Not Available
Vendor-combodoCombodo
Product-itopiTop
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1331
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 12:17
Updated-06 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection < 1.1.5 - Plugin Reset via CSRF

The Redirection WordPress plugin before 1.1.5 does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack.

Action-Not Available
Vendor-inisevUnknown
Product-redirectionRedirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13674
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.34%
||
7 Day CHG-0.05%
Published-11 Feb, 2022 | 15:45
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-11015
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 47.49%
||
7 Day CHG~0.00%
Published-16 Oct, 2019 | 00:25
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-jnr1010_firmwarejnr1010n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-2355
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.7||MEDIUM
EPSS-0.10% / 27.80%
||
7 Day CHG~0.00%
Published-08 Aug, 2022 | 13:46
Updated-27 Aug, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF

The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin

Action-Not Available
Vendor-easy_username_updater_projectUnknown
Product-easy_username_updaterEasy Username Updater
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-20130
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 22.98%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-25 Oct, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime Infrastructure
CWE ID-CWE-27
Path Traversal: 'dir/../../filename'
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-27265
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.04% / 8.84%
||
7 Day CHG~0.00%
Published-14 Mar, 2024 | 18:37
Updated-02 Aug, 2024 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Integration Bus for z/OS cross-site request forgery

IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-windowsintegration_buslinux_kernelz\/osIntegration Bus for z/OS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-11085
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.73%
||
7 Day CHG~0.00%
Published-16 Aug, 2020 | 17:17
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

php/qmn_options_questions_tab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the question_name parameter because js/admin_question.js mishandles parsing inside of a SCRIPT element.

Action-Not Available
Vendor-expresstechn/a
Product-quiz_and_survey_mastern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-10962
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.62%
||
7 Day CHG~0.00%
Published-16 Sep, 2019 | 12:25
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.

Action-Not Available
Vendor-icegramn/a
Product-icegram_engagen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1330
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 28.13%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 14:38
Updated-14 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection < 1.1.4 - Redirect Creation via CSRF

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

Action-Not Available
Vendor-inisevUnknown
Product-redirectionRedirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1624
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 18:30
Updated-04 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

Action-Not Available
Vendor-UnknownWPCode, LLC (WPCode)
Product-wpcodeWPCode
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-10997
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.96%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:08
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant arbitrary file upload in includes/sendmail.php.

Action-Not Available
Vendor-yourinspirationwebn/a
Product-beauty-premiumn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0438
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.08%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0522
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.54%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 13:58
Updated-04 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enable/Disable Auto Login when Register <= 1.1.0 - Settings Update via CSRF

The Enable/Disable Auto Login when Register WordPress plugin through 1.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-enable\/disable_auto_login_when_register_projectUnknown
Product-enable\/disable_auto_login_when_registerEnable/Disable Auto Login when Register
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0735
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.12%
||
7 Day CHG~0.00%
Published-07 Feb, 2023 | 00:00
Updated-25 Mar, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in wallabag/wallabag

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.

Action-Not Available
Vendor-wallabagwallabag
Product-wallabagwallabag/wallabag
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0824
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-7.4||HIGH
EPSS-0.14% / 34.77%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:56
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UserPlus <= 2.0 - Stored XSS via CSRF

The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.

Action-Not Available
Vendor-wpuserplusUnknown
Product-userplusUser registration & user profile
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1092
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.59%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:39
Updated-19 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF

The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack

Action-Not Available
Vendor-miniorangeMiniOrange
Product-oauth_single_sign_onOAuth Single Sign On EnterpriseOAuth Single Sign On StandardOAuth Single Sign On PremiumOAuth Single Sign On Free
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0502
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF

The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Action-Not Available
Vendor-UnknownHasTech IT Limited (HasThemes)
Product-wp_newsWP News
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0501
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF

The WP Insurance WordPress plugin before 2.1.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Action-Not Available
Vendor-UnknownHasTech IT Limited (HasThemes)
Product-wp_insuranceWP Insurance
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0398
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.75%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0737
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.71%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:53
Updated-20 Nov, 2024 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSRF in wallabag/wallabag

wallabag version 2.5.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to arbitrarily delete user accounts via the /account/delete endpoint. This issue is fixed in version 2.5.4.

Action-Not Available
Vendor-wallabagwallabagwallabag
Product-wallabagwallabag/wallabagwallabag
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1093
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF

The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack

Action-Not Available
Vendor-miniorangeUnknown
Product-oauth_single_sign_onOAuth Single Sign On
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0500
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.98%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF

The WP Film Studio WordPress plugin before 1.3.5 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Action-Not Available
Vendor-UnknownHasTech IT Limited (HasThemes)
Product-wp_film_studioWP Film Studio
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0674
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.27%
||
7 Day CHG~0.00%
Published-04 Feb, 2023 | 07:34
Updated-02 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XXL-JOB New Password updatePwd cross-site request forgery

A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196.

Action-Not Available
Vendor-n/aXuxueli
Product-xxl-jobXXL-JOB
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-2559
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 24.47%
||
7 Day CHG~0.00%
Published-17 Mar, 2024 | 09:31
Updated-27 Jan, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC18 SysToolReboot fromSysToolReboot cross-site request forgery

A vulnerability classified as problematic has been found in Tenda AC18 15.03.05.05. Affected is the function fromSysToolReboot of the file /goform/SysToolReboot. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257058 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac18ac18_firmwareAC18
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9437
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.69%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 01:18
Updated-27 Nov, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

Action-Not Available
Vendor-vivwebsolutionsn/a
Product-dynamic_widgetsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9409
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 53.44%
||
7 Day CHG~0.00%
Published-25 Sep, 2019 | 16:59
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php.

Action-Not Available
Vendor-alo-easymail_projectn/a
Product-alo-easymailn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9434
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.62%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 01:12
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter.

Action-Not Available
Vendor-kiwi-logo-carousel_projectn/a
Product-kiwi-logo-carouseln/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4849
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.06% / 18.03%
||
7 Day CHG~0.00%
Published-29 Dec, 2022 | 00:00
Updated-09 Apr, 2025 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in usememos/memos

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 44.18%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 03:39
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The unite-gallery-lite plugin before 1.5 for WordPress has CSRF and SQL injection via wp-admin/admin.php galleryid or id parameters.

Action-Not Available
Vendor-unitegalleryn/a
Product-unite_gallery_liten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9442
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 49.49%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 03:51
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The avenirsoft-directdownload plugin 1.0 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=avenir_plugin.

Action-Not Available
Vendor-avenirsoftn/a
Product-directdownloadn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4850
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.55%
||
7 Day CHG~0.00%
Published-29 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 16:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in usememos/memos

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-23785
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.11% / 30.85%
||
7 Day CHG~0.00%
Published-14 Feb, 2024 | 10:07
Updated-27 Oct, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a remote unauthenticated attacker to change the product settings.

Action-Not Available
Vendor-sharpSHARP CORPORATION
Product-jh-rvb1jh-rv11_firmwarejh-rvb1_firmwarejh-rv11Energy Management Controller with Cloud Services
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9408
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 53.44%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 15:19
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.

Action-Not Available
Vendor-cyberseon/a
Product-xpinner_liten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9417
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.54%
||
7 Day CHG~0.00%
Published-25 Sep, 2019 | 23:44
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS.

Action-Not Available
Vendor-slidervillan/a
Product-testimonial_slidern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9388
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.62%
||
7 Day CHG~0.00%
Published-20 Sep, 2019 | 14:56
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.

Action-Not Available
Vendor-mtouch_quiz_projectn/a
Product-mtouch_quizn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9424
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.69%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 00:35
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter.

Action-Not Available
Vendor-doc4designn/a
Product-multiconsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4888
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 60.43%
||
7 Day CHG~0.00%
Published-31 Jul, 2023 | 09:37
Updated-17 Oct, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Plugins from Addify - Multiple CSRF

The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration Forms Builder WordPress plugin before 1.0.2, Advanced Free Gifts WordPress plugin before 1.0.2, Gift Registry for WooCommerce WordPress plugin through 1.0.1, Image Watermark for WooCommerce WordPress plugin before 1.0.1, Order Approval for WooCommerce WordPress plugin before 1.1.0, Order Tracking for WooCommerce WordPress plugin before 1.0.2, Price Calculator for WooCommerce WordPress plugin through 1.0.3, Product Dynamic Pricing and Discounts WordPress plugin through 1.0.6, Product Labels and Stickers WordPress plugin through 1.0.1 have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions

Action-Not Available
Vendor-addifyUnknownaddify
Product-gift_registry_for_woocommerceorder_tracking_for_woocommercecustom_order_numbercustom_registration_forms_buildercheckout_fields_manageradvanced_free_giftscustom_fields_for_woocommerceimage_watermark_for_woocommerceorder_approval_for_woocommerceabandoned_cart_recoveryGift Registry for WooCommerceCheckout Fields ManagerCustom Fields for WooCommerceCustom Order NumberProduct Dynamic Pricing and DiscountsAdvanced Free GiftsPrice Calculator for WooCommerceProduct Labels and StickersAbandoned Cart RecoveryCustom Registration Forms BuilderOrder Approval for WooCommerceOrder Tracking for WooCommerceImage Watermark for WooCommercegift_registry_for_woocommerceorder_tracking_for_woocommercecustom_order_numbercustom_registration_forms_buildercheckout_fields_manageradvanced_free_giftscustom_fields_for_woocommerceimage_watermark_for_woocommerceproduct_labels_and_stickersprice_calculator_for_woocommerceorder_approval_for_woocommerceabandoned_cart_recoveryproduct_dynamic_pricing_and_discounts
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9431
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.62%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 01:06
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter.

Action-Not Available
Vendor-qtranslate_x_projectn/a
Product-qtranslate_xn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 10
  • 11
  • Next
Details not found