Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Salesforce.This issue affects Integration for Contact Form 7 and Salesforce: from n/a through 1.3.9.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for WooCommerce and QuickBooks allows Cross Site Request Forgery. This issue affects Integration for WooCommerce and QuickBooks: from n/a through 1.3.1.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms allows Cross Site Request Forgery. This issue affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms: from n/a through 1.1.3.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms allows Cross Site Request Forgery. This issue affects Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.0.9.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin plugin <= 1.2.2 versions.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 HubSpot.This issue affects Integration for Contact Form 7 HubSpot: from n/a through 1.3.1.
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets allows Cross Site Request Forgery. This issue affects Connector for Gravity Forms and Google Sheets: from n/a through 1.2.4.
The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable() function. This makes it possible for unauthenticated attackers to create and edit pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions.
The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.
Cross-Site Request Forgery (CSRF) vulnerability in Arian Khosravi, Norik Davtian BigContact Contact Page plugin <= 1.5.8 versions.
The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack
The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues
The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts
Cross-Site Request Forgery (CSRF) vulnerability in Warfare Plugins Social Warfare.This issue affects Social Warfare: from n/a through 4.4.5.1.
Cross-Site Request Forgery (CSRF) vulnerability in Jeroen Peters Name Directory plugin <= 1.27.1 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Atif N SRS Simple Hits Counter plugin <= 1.1.0 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita Custom Field Template plugin <= 2.5.8 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Aarvanshinfotech Online Exam Software: eExamhall plugin <= 4.0 versions.
Cross-Site Request Forgery (CSRF) vulnerability in Brevo Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue.This issue affects Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue: from n/a through 3.1.82.
Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments.
Cross-Site Request Forgery (CSRF) vulnerability in eyecix JobSearch allows Cross Site Request Forgery.This issue affects JobSearch: from n/a through 2.5.3.
The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack
The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.
The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments
Cross-Site Request Forgery (CSRF) vulnerability in Nasirahmed Advanced Form Integration.This issue affects Advanced Form Integration: from n/a through 1.89.4.
The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack
Cross-Site Request Forgery (CSRF) vulnerability in RedNao Extra Product Options Builder for WooCommerce.This issue affects Extra Product Options Builder for WooCommerce: from n/a through 1.2.104.
Cross-Site Request Forgery (CSRF) vulnerability in CoSchedule Headline Analyzer.This issue affects Headline Analyzer: from n/a through 1.3.3.
Cross-Site Request Forgery (CSRF) vulnerability in ELEXtensions ELEX WooCommerce Dynamic Pricing and Discounts.This issue affects ELEX WooCommerce Dynamic Pricing and Discounts: from n/a through 2.1.2.
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability
The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_remove_cdn_integration_ajax_request_callback function. This makes it possible for unauthenticated attackers to change cdn settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)
Cross-Site Request Forgery (CSRF) vulnerability in kopatheme Nictitate.This issue affects Nictitate: from n/a through 1.1.4.
The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.
Cross-Site Request Forgery (CSRF) vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall.This issue affects All In One WP Security & Firewall: from n/a through 5.2.6.
The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Pizza Ordering System 1.0. This issue affects some unknown processing of the file admin/ajax.php?action=save_user. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221681 was assigned to this vulnerability.
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF).This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.1.
Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.This issue affects Easy Digital Downloads: from n/a through 3.2.11.
The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the deletePricingTable() function. This makes it possible for unauthenticated attackers to delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
A security vulnerability in HPE IceWall Agent products could be exploited remotely to cause a Cross-Site Request Forgery (CSRF) in the login flow.
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if a nonce is set. By omitting a nonce from the request, the check can be bypassed.
Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets.This issue affects Sign-up Sheets: from n/a through 2.2.11.1.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known.
A vulnerability, which was classified as problematic, was found in Tianjin PubliCMS 4.0.202302.e. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.