Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-2911

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-26 Mar, 2024 | 21:31
Updated At-09 Sep, 2024 | 15:26
Rejected At-
Credits

Tianjin PubliCMS cross-site request forgery

A vulnerability, which was classified as problematic, was found in Tianjin PubliCMS 4.0.202302.e. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:26 Mar, 2024 | 21:31
Updated At:09 Sep, 2024 | 15:26
Rejected At:
▼CVE Numbering Authority (CNA)
Tianjin PubliCMS cross-site request forgery

A vulnerability, which was classified as problematic, was found in Tianjin PubliCMS 4.0.202302.e. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Products
Vendor
Tianjin
Product
PubliCMS
Versions
Affected
  • 4.0.202302.e
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
3.04.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2.05.0N/A
AV:N/AC:L/Au:N/C:N/I:P/A:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Version: 3.0
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Version: 2.0
Base score: 5.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
hexixi (VulDB User)
Timeline
EventDate
Advisory disclosed2024-03-26 00:00:00
CVE reserved2024-03-26 00:00:00
VulDB entry created2024-03-26 01:00:00
VulDB entry last update2024-06-27 05:46:48
Event: Advisory disclosed
Date: 2024-03-26 00:00:00
Event: CVE reserved
Date: 2024-03-26 00:00:00
Event: VulDB entry created
Date: 2024-03-26 01:00:00
Event: VulDB entry last update
Date: 2024-06-27 05:46:48
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.257979
vdb-entry
technical-description
https://vuldb.com/?ctiid.257979
signature
permissions-required
https://vuldb.com/?submit.300339
third-party-advisory
https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
exploit
Hyperlink: https://vuldb.com/?id.257979
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.257979
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.300339
Resource:
third-party-advisory
Hyperlink: https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
Resource:
exploit
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
tianjin
Product
publicms
CPEs
  • cpe:2.3:a:tianjin:publicms:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 4.0.202302.e
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.257979
vdb-entry
x_transferred
https://vuldb.com/?ctiid.257979
signature
permissions-required
x_transferred
https://vuldb.com/?submit.300339
third-party-advisory
x_transferred
https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
exploit
x_transferred
Hyperlink: https://vuldb.com/?id.257979
Resource:
vdb-entry
x_transferred
Hyperlink: https://vuldb.com/?ctiid.257979
Resource:
signature
permissions-required
x_transferred
Hyperlink: https://vuldb.com/?submit.300339
Resource:
third-party-advisory
x_transferred
Hyperlink: https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
Resource:
exploit
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:26 Mar, 2024 | 22:15
Updated At:21 Aug, 2025 | 17:45

A vulnerability, which was classified as problematic, was found in Tianjin PubliCMS 4.0.202302.e. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Secondary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches
publiccms
publiccms
>>publiccms>>4.0.202302.e
cpe:2.3:a:publiccms:publiccms:4.0.202302.e:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Secondarycna@vuldb.com
CWE ID: CWE-352
Type: Secondary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdfcna@vuldb.com
Broken Link
https://vuldb.com/?ctiid.257979cna@vuldb.com
Permissions Required
VDB Entry
https://vuldb.com/?id.257979cna@vuldb.com
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.300339cna@vuldb.com
Third Party Advisory
VDB Entry
https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdfaf854a3a-2127-422b-91ae-364da2661108
Broken Link
https://vuldb.com/?ctiid.257979af854a3a-2127-422b-91ae-364da2661108
Permissions Required
VDB Entry
https://vuldb.com/?id.257979af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.300339af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
Hyperlink: https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
Source: cna@vuldb.com
Resource:
Broken Link
Hyperlink: https://vuldb.com/?ctiid.257979
Source: cna@vuldb.com
Resource:
Permissions Required
VDB Entry
Hyperlink: https://vuldb.com/?id.257979
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?submit.300339
Source: cna@vuldb.com
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://github.com/sweatxi/BugHub/blob/main/publiccms_csrf.pdf
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Hyperlink: https://vuldb.com/?ctiid.257979
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Permissions Required
VDB Entry
Hyperlink: https://vuldb.com/?id.257979
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://vuldb.com/?submit.300339
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

2169Records found
CVE-2025-14354
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.96%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Resource Library for Logged In Users <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions

The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-doubledome
Product-Resource Library for Logged In Users
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-14163
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.81%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 09:20
Updated-05 Jan, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premium Addons for Elementor <= 4.11.53 - Cross-Site Request Forgery via 'insert_inner_template'

The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.

Action-Not Available
Vendor-leap13leap13
Product-premium_addons_for_elementorPremium Addons for Elementor – Powerful Elementor Templates & Widgets
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-14165
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.14%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update

The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-developerke
Product-Kirim.Email WooCommerce Integration
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9887
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.79%
||
7 Day CHG-0.01%
Published-20 Sep, 2025 | 06:43
Updated-22 Sep, 2025 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Login And Signup Widget <= 1.0 - Cross-Site Request Forgery

The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-bittokazi
Product-Custom Login And Signup Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-14454
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.65%
||
7 Day CHG~0.00%
Published-13 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Image Slider by Ays- Responsive Slider and Carousel <= 2.7.0 - Cross-Site Request Forgery to Arbitrary Slider Deletion

The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-AYS Pro Extensions
Product-Image Slider by Ays- Responsive Slider and Carousel
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9623
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.49%
||
7 Day CHG~0.00%
Published-11 Sep, 2025 | 07:24
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin in English with Switch <= 1.1 - Cross-Site Request Forgery

The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enable_eng function. This makes it possible for unauthenticated attackers to modify administrator language settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-dontcare
Product-Admin in English with Switch
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1463
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 15.78%
||
7 Day CHG~0.00%
Published-05 Mar, 2025 | 11:22
Updated-05 Mar, 2025 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spreadsheet Integration <= 3.8.2 - Cross-Site Request Forgery to Arbitrary Post Publish

The Spreadsheet Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to improper nonce validation within the class-wpgsi-show.php script. This makes it possible for unauthenticated attackers to publish arbitrary posts, including private, granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-javmah
Product-Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9618
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.97%
||
7 Day CHG~0.00%
Published-30 Aug, 2025 | 01:45
Updated-02 Sep, 2025 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Related Posts Lite <= 1.12 - Cross-Site Request Forgery

The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wpdreams
Product-Related Posts Lite
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-4286
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.53%
||
7 Day CHG~0.00%
Published-19 May, 2020 | 13:15
Updated-16 Sep, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 176268.

Action-Not Available
Vendor-IBM Corporation
Product-infosphere_information_server_on_cloudinfosphere_information_serverInfoSphere Information Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13142
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.05%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 07:31
Updated-24 Nov, 2025 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion

The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-farvehandleren
Product-Custom Post Type
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13179
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.71%
||
7 Day CHG~0.00%
Published-14 Nov, 2025 | 19:32
Updated-24 Nov, 2025 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System cross-site request forgery

A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-bdtaskBdtaskCodeCanyon
Product-wholesaleWholesale Inventory Control and Inventory Management System
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2020-4764
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.08% / 23.07%
||
7 Day CHG~0.00%
Published-18 Dec, 2020 | 15:00
Updated-17 Sep, 2024 | 00:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 188898.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-windowsplanning_analyticslinux_kernelPlanning Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9626
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.07%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 09:28
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page Blocks <= 1.1.0 - Cross-Site Request Forgery

The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-softwud
Product-Page Blocks
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13737
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-28 Nov, 2025 | 03:27
Updated-01 Dec, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nextend Social Login and Register <= 3.1.21 - Cross-Site Request Forgery to Unlink User Social Login

The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-nextendweb
Product-Nextend Social Login and Register
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9894
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.63%
||
7 Day CHG~0.00%
Published-27 Sep, 2025 | 06:47
Updated-29 Sep, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger

The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-cristianr909090
Product-Sync Feedly
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13629
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-06 Dec, 2025 | 05:49
Updated-08 Dec, 2025 | 21:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-xbenx
Product-WP Landing Page
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1314
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.15%
||
7 Day CHG-0.00%
Published-20 Mar, 2025 | 05:22
Updated-20 Mar, 2025 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom Twitter Feeds <= 2.2.5 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_admin Function

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Awesome Motive Inc.
Product-Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13139
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.47%
||
7 Day CHG~0.00%
Published-24 Jan, 2026 | 09:08
Updated-26 Jan, 2026 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Creation

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-devsoftbaltic
Product-SurveyJS: Drag & Drop Form Builder
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1358
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 11.16%
||
7 Day CHG~0.00%
Published-16 Feb, 2025 | 19:31
Updated-18 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pix Software Vivaz cross-site request forgery

A vulnerability classified as problematic was found in Pix Software Vivaz 6.0.10. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Pix Software
Product-Vivaz
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2023-37889
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.55%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 12:25
Updated-30 Sep, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPAdmin AWS CDN Plugin <= 2.0.13 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS CDN plugin <= 2.0.13 versions.

Action-Not Available
Vendor-wpadminWPAdmin
Product-aws_cdnWPAdmin AWS CDN
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13205
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.32%
||
7 Day CHG-0.01%
Published-24 Jan, 2026 | 09:08
Updated-26 Jan, 2026 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-devsoftbaltic
Product-SurveyJS: Drag & Drop Form Builder
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12827
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.05%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 08:27
Updated-18 Nov, 2025 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update

The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-denishua
Product-Top Friends
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13521
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 08:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-fulippo
Product-WP Status Notifier
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9944
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.63%
||
7 Day CHG~0.00%
Published-27 Sep, 2025 | 06:47
Updated-29 Sep, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending

The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to trigger test email sending via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-kelderic
Product-Professional Contact Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-12901
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.14%
||
7 Day CHG~0.00%
Published-12 Nov, 2025 | 04:29
Updated-14 Nov, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update

The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.

Action-Not Available
Vendor-asgaros
Product-Asgaros Forum
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.65%
||
7 Day CHG~0.00%
Published-21 Dec, 2025 | 03:20
Updated-23 Dec, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion

The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-dipesh_patel
Product-Web to SugarCRM Lead
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-37991
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.25%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 09:39
Updated-20 Sep, 2024 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Emoji One Plugin <= 0.6.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Monchito.Net WP Emoji One plugin <= 0.6.0 versions.

Action-Not Available
Vendor-monchitoMonchito.net
Product-wp_emoji_oneWP Emoji One
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-9888
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.13%
||
7 Day CHG~0.00%
Published-10 Sep, 2025 | 06:38
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Maspik <= 2.5.6 - Cross-Site Request Forgery

The Maspik – Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-yonifre
Product-Maspik – Ultimate Spam Protection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1320
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.69%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 07:04
Updated-11 Aug, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete

The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mtrvwinkm89
Product-teachpressteachPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13790
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.65%
||
7 Day CHG~0.00%
Published-30 Nov, 2025 | 14:32
Updated-04 Dec, 2025 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Scada-LTS cross-site request forgery

A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-scada-ltsn/a
Product-scada-ltsScada-LTS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2021-29823
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.38%
||
7 Day CHG~0.00%
Published-01 Sep, 2022 | 19:00
Updated-16 Sep, 2024 | 23:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204465.

Action-Not Available
Vendor-IBM CorporationNetApp, Inc.
Product-cognos_analyticsoncommand_insightCognos Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-8104
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.94%
||
7 Day CHG~0.00%
Published-27 Jul, 2025 | 04:23
Updated-29 Jul, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Usage <= 3.98 - Cross-Site Request Forgery to Limited Plugin Installation via wpmemory_install_plugin Function

The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently install one of the several whitelisted plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-sminozzi
Product-Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13520
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 08:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MTCaptcha WordPress Plugin <= 2.7.2 - Cross-Site Request Forgery to Settings Update

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mtcaptcha
Product-MTCaptcha WordPress Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-8481
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.97%
||
7 Day CHG~0.00%
Published-11 Sep, 2025 | 07:24
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery

The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mdimran41
Product-Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-7965
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.24%
||
7 Day CHG-0.01%
Published-11 Aug, 2025 | 06:00
Updated-09 Jan, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CBX Restaurant Booking <= 1.2.1 - Plugin Reset via CSRF

The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-Unknown
Product-CBX Restaurant Booking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-8479
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.13%
||
7 Day CHG~0.00%
Published-11 Sep, 2025 | 06:43
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zoho Flow <= 2.14.1 - Cross-Site Request Forgery

The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-zohoflow
Product-Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13119
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.71%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 15:02
Updated-17 Nov, 2025 | 12:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fabian Ros/SourceCodester Simple E-Banking System cross-site request forgery

A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-Fabian RosSourceCodesterFabian Ros
Product-simple_e-banking_systemSimple E-Banking System
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2021-29816
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.53%
||
7 Day CHG~0.00%
Published-23 Sep, 2021 | 18:05
Updated-16 Sep, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 204341.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-linux_kernelaixwindowsjazz_for_service_managementJazz for Service Management
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29757
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.28%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 16:00
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202168.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_user_behavior_analyticsQRadar User Behavior Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-29756
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.33%
||
7 Day CHG~0.00%
Published-03 Dec, 2021 | 17:00
Updated-16 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.

Action-Not Available
Vendor-IBM CorporationNetApp, Inc.
Product-cognos_analyticsoncommand_insightCognos Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13684
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-05 Dec, 2025 | 07:26
Updated-08 Dec, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update

The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-alexkar
Product-ARK Related Posts
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13143
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-27 Nov, 2025 | 05:31
Updated-01 Dec, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.0 - Cross-Site Request Forgery to Account Disconnection

The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-assafp
Product-Poll, Survey & Quiz Maker Plugin by Opinion Stage
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13527
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 08:21
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xShare <= 1.0.1 - Cross-Site Request Forgery to 'rs_plugin_reset' Parameter

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-anwerashif
Product-xShare
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13408
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.65%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foxtool All-in-One: Contact chat button, Custom login, Media optimize images <= 2.5.2 - Cross-Site Request Forgery to Google OAuth Connection

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-foxtheme
Product-Foxtool All-in-One: Contact chat button, Custom login, Media optimize images
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13363
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IMAQ Core <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update

The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-imaqpress
Product-IMAQ CORE
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13657
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.30%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 06:35
Updated-08 Jan, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args

The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-helpdeskcom
Product-HelpDesk contact form plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-8491
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.49%
||
7 Day CHG~0.00%
Published-13 Aug, 2025 | 03:42
Updated-13 Aug, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy restaurant menu manager <= 2.0.2 - Cross-Site Request Forgery to Menu Upload

The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-nikelschubert
Product-Easy restaurant menu manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13140
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.23%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 06:40
Updated-02 Dec, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-devsoftbaltic
Product-SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-4199
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.84%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 13:55
Updated-17 Sep, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Netcool/OMNIbus 8.1.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 174910.

Action-Not Available
Vendor-IBM Corporation
Product-tivoli_netcool\/omnibusTivoli Netcool/OMNIbus
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13749
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.30%
||
7 Day CHG~0.00%
Published-09 Jan, 2026 | 05:25
Updated-13 Jan, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clearfy <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-creativemotion
Product-Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 43
  • 44
  • Next
Details not found