Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-35632

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-03 Jun, 2024 | 11:49
Updated At-02 Aug, 2024 | 03:14
Rejected At-
Credits

WordPress Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.5.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:03 Jun, 2024 | 11:49
Updated At:02 Aug, 2024 | 03:14
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.5.

Affected Products
Vendor
CRM Perks.
Product
Integration for Contact Form 7 and Constant Contact
Collection URL
https://wordpress.org/plugins
Package Name
cf7-constant-contact
Default Status
unaffected
Versions
Affected
  • From n/a through 1.1.5 (custom)
    • -> unaffectedfrom1.1.6
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Update to 1.1.6 or a higher version.

Configurations
Workarounds
Exploits
Credits
finder
Joshua Chan (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
vdb-entry
x_transferred
Hyperlink: https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Resource:
vdb-entry
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:03 Jun, 2024 | 12:15
Updated At:03 Jun, 2024 | 14:46

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.5.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-352Primaryaudit@patchstack.com
CWE ID: CWE-352
Type: Primary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/vulnerability/cf7-constant-contact/wordpress-integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2075Records found
CVE-2024-8120
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.7||MEDIUM
EPSS-0.18% / 38.88%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 02:32
Updated-17 Sep, 2024 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImageRecycle pdf & image compression <= 3.1.14 - Cross-Site Request in Several AJAX Actions

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file. This makes it possible for unauthenticated attackers to update plugin settings along with performing other actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-imagerecycleimagerecycle
Product-imagerecycle_pdf_\&_image_compressionImageRecycle pdf & image compression
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8200
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.59%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 15:32
Updated-30 Aug, 2024 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More <= 1.1.2 - Cross-Site Request Forgery

The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)Awesome Motive Inc.
Product-reviews_feedReviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7820
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.57%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 06:00
Updated-27 Sep, 2024 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ILC Thickbox <= 1.0 - Settings update via CSRF

The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-elliotUnknownilc_thickbox
Product-ilc_thickboxILC Thickboxilc_thickbox
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8319
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 41.22%
||
7 Day CHG~0.00%
Published-30 Aug, 2024 | 07:33
Updated-03 Sep, 2024 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions

The Tourfic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.20. This is due to missing or incorrect nonce validation on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions. This makes it possible for unauthenticated attackers to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-themeificthemefic
Product-tourficTourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7984
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.60%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-11 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joy Of Text Lite – SMS messaging for WordPress <= 2.3.1 - Settings Update via CSRF

The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-ultimatewpsmsUnknown
Product-joy_of_textJoy Of Text Lite
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8245
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.60%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GamiPress - Reset User <= 1.0.0 - GamiPress User Data Removal via CSRF

The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-gamipressUnknown
Product-gamipress_-_reset_userGamiPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8157
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.40%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 06:00
Updated-15 May, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alphabetical List <= 1.0.3 - Settings Update via CSRF

The Alphabetical List WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-Unknownalain_gonzalezAlain Gonzalez
Product-alphabetical_listAlphabetical Listalphabetical-list
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8477
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.60%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 02:06
Updated-15 Oct, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) <= 3.1.87 - Cross-Site Request Forgery

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-brevoneeraj_slit
Product-newsletter\,_smtp\,_email_marketing_and_subscribeNewsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-32632
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.4||LOW
EPSS-0.15% / 35.38%
||
7 Day CHG~0.00%
Published-20 May, 2021 | 16:10
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSRF allowing modification of commands, modules, banphrases through hidden iFrames

Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnerable to cross-site request forgery (CSRF). Hosters of the bot should upgrade to `v1.52` or `stable` to install the patch or, as a workaround, can add one modern dependency.

Action-Not Available
Vendor-pajbotpajbot
Product-pajbotpajbot
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-14117
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 17.01%
||
7 Day CHG~0.00%
Published-06 Dec, 2025 | 05:32
Updated-12 Dec, 2025 | 12:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fit2cloud Halo cross-site request forgery

A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-FIT2CLOUD Inc.
Product-haloHalo
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2024-8476
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.99%
||
7 Day CHG~0.00%
Published-25 Sep, 2024 | 02:05
Updated-02 Oct, 2024 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy PayPal Events <= 1.2.1 - Cross-Site Request Forgery to Arbitrary Post Deletion

The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wppluginscottpaterson
Product-easy_paypal_eventsEasy PayPal Events
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-39286
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-14 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.

Action-Not Available
Vendor-n/aMitel Networks Corp.
Product-connect_mobility_routern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8398
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.50%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Nav Archives <= 2.1.3 - Settings Update via CSRF

The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-philipwaltonUnknown
Product-simple_nav_archivesSimple Nav Archives
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-47136
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.38%
||
7 Day CHG+0.01%
Published-25 May, 2023 | 11:45
Updated-08 Jan, 2025 | 21:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ninja Tables Plugin <= 4.3.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WPManageNinja LLC Ninja Tables – Best Data Table Plugin for WordPress plugin <= 4.3.4 versions.

Action-Not Available
Vendor-wpmanageninjaWPManageNinja LLC
Product-ninja_tablesNinja Tables – Best Data Table Plugin for WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13363
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.21%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IMAQ Core <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update

The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-imaqpress
Product-IMAQ CORE
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7892
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.14%
||
7 Day CHG~0.00%
Published-25 Sep, 2024 | 06:00
Updated-26 Sep, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
adstxt Plugin <= 1.0.0 - Settings Update via CSRF

The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-Unknownvladyslav_bondarenko
Product-adstxt Pluginadstxt
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7862
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.14%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 06:00
Updated-12 Sep, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blog Introduction <= 0.3.0 - Settings Update via CSRF

The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-Unknownblogintroduction_wordpress_plugin
Product-blogintroduction-wordpress-pluginblogintroduction_wordpress_plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-47169
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.63%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 12:09
Updated-25 Sep, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Visibility Logic for Elementor Plugin <= 2.3.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in StaxWP Visibility Logic for Elementor plugin <= 2.3.4 versions.

Action-Not Available
Vendor-staxwpStaxWP
Product-visibility_logic_for_elementorVisibility Logic for Elementor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8082
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.51%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Widgets Reset <= 0.1 - Settings Update via CSRF

The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-justintadlockUnknown
Product-widgets_resetWidgets Reset
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8414
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.15% / 35.42%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 16:31
Updated-06 Sep, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Insurance Management System cross-site request forgery

A vulnerability has been found in SourceCodester Insurance Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodestermunyweki
Product-insurance_management_systemInsurance Management Systeminsurance_management_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8520
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 48.55%
||
7 Day CHG~0.00%
Published-04 Oct, 2024 | 02:32
Updated-08 Oct, 2024 | 21:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Member <= 2.8.6 - Cross-Site Request Forgery to Membership Status Change

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Ultimate Member Group Ltd
Product-ultimate_memberUltimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Pluginultimate_member
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-13361
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 2.63%
||
7 Day CHG~0.00%
Published-21 Dec, 2025 | 03:20
Updated-23 Dec, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion

The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-dipesh_patel
Product-Web to SugarCRM Lead
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7161
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 34.88%
||
7 Day CHG~0.00%
Published-28 Jul, 2024 | 15:31
Updated-19 Sep, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SeaCMS Password Change cross-site request forgery

A vulnerability classified as problematic was found in SeaCMS 13.0. Affected by this vulnerability is an unknown functionality of the file /member.php?action=chgpwdsubmit of the component Password Change Handler. The manipulation of the argument newpwd/newpwd2 leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272575.

Action-Not Available
Vendor-seacmsn/aseacms
Product-seacmsSeaCMSseacms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-47138
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.38%
||
7 Day CHG+0.01%
Published-25 May, 2023 | 08:14
Updated-08 Jan, 2025 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LOGIN AND REGISTRATION ATTEMPTS LIMIT Plugin <= 2.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in German Krutov LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin <= 2.1 versions.

Action-Not Available
Vendor-login_and_registration_attempts_limit_projectGerman Krutov
Product-login_and_registration_attempts_limitLOGIN AND REGISTRATION ATTEMPTS LIMIT
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6856
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.06%
||
7 Day CHG~0.00%
Published-08 Sep, 2024 | 06:00
Updated-11 Sep, 2024 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP MultiTasking <= 0.1.12 - SMTP Settings Update via CSRF

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-ngothangUnknownthangnv27
Product-wp_multitaskingWP MultiTaskingwp_multitasking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7360
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 30.36%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 17:31
Updated-09 Aug, 2024 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Tracking Monitoring Management System ajax.php cross-site request forgery

A vulnerability classified as problematic has been found in SourceCodester Tracking Monitoring Management System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273339.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-tracking_monitoring_management_systemTracking Monitoring Management Systemtracking_monitoring_management_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7662
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 33.76%
||
7 Day CHG~0.00%
Published-11 Aug, 2024 | 04:00
Updated-15 Aug, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Car Driving School Management System manag_package.php save_package cross-site request forgery

A vulnerability was found in SourceCodester Car Driving School Management System 1.0. It has been declared as problematic. This vulnerability affects the function save_package of the file admin/packages/manag_package.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-car_driving_school_management_systemCar Driving School Management Systemcar_driving_school_management_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7690
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 22.48%
||
7 Day CHG~0.00%
Published-02 Sep, 2024 | 06:00
Updated-07 Oct, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DN Popup <= 1.2.2 - Settings Update via CSRF

The DN Popup WordPress plugin through 1.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-digireturnUnknowndigireturn
Product-dn_popupDN Popupdn-popup
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7422
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 31.94%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 03:20
Updated-19 Aug, 2024 | 13:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Theme My Login <= 7.1.7 - Cross-Site Request Forgery to Settings Update

The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_save_ms_settings() function. This makes it possible for unauthenticated attackers to update the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note that this only affects multi-site instances.

Action-Not Available
Vendor-jfarthing84
Product-Theme My Login
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6852
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.06%
||
7 Day CHG~0.00%
Published-08 Sep, 2024 | 06:00
Updated-11 Sep, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP MultiTasking <= 0.1.12 - Settings Update via CSRF

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-ngothangUnknownthangnv27
Product-wp_multitaskingWP MultiTaskingwp_multitasking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7645
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.16%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 16:00
Updated-19 Aug, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Clinics Patient Management System User Page users.php cross-site request forgery

A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file users.php of the component User Page. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-clinic\'s_patient_management_systemClinics Patient Management Systemclinics_patient_management_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7106
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.16% / 36.64%
||
7 Day CHG~0.00%
Published-25 Jul, 2024 | 21:00
Updated-13 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spina CMS media_folders cross-site request forgery

A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-denkgrootSpinadenkgroot
Product-spinaCMSspina
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-38739
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.79%
||
7 Day CHG~0.00%
Published-31 Jan, 2025 | 15:19
Updated-05 Mar, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Sterling B2B Integrator cross-site request forgery

IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Action-Not Available
Vendor-IBM Corporation
Product-sterling_b2b_integratorSterling B2B Integrator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6925
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.31%
||
7 Day CHG~0.00%
Published-08 Sep, 2024 | 06:00
Updated-11 Sep, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TrueBooker < 1.0.3 - Settings Update via CSRF

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-themetechmountUnknownthemetechmount
Product-truebookerTrueBookertruebooker-appointment-booking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7065
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 29.17%
||
7 Day CHG~0.00%
Published-24 Jul, 2024 | 09:31
Updated-01 Aug, 2024 | 21:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spina CMS cross-site request forgery

A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272346 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Spinadenkgroot
Product-CMSspina
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-46865
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.38%
||
7 Day CHG+0.01%
Published-25 May, 2023 | 08:40
Updated-08 Jan, 2025 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Bulk Resize Media Plugin <= 1.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Marty Thornley Bulk Resize Media plugin <= 1.1 versions.

Action-Not Available
Vendor-bulk_resize_media_projectMarty Thornley
Product-bulk_resize_mediaBulk Resize Media
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7226
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.13% / 32.37%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 09:00
Updated-13 Aug, 2024 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Medicine Tracker System Password Change cross-site request forgery

A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-medicine_tracker_systemMedicine Tracker Systemmedicine_tracker_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7169
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.12% / 31.91%
||
7 Day CHG~0.00%
Published-28 Jul, 2024 | 19:31
Updated-12 Aug, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester School Fees Payment System ajax.php cross-site request forgery

A vulnerability classified as problematic has been found in SourceCodester School Fees Payment System 1.0. This affects an unknown part of the file /ajax.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272583.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-school_fees_payment_systemSchool Fees Payment Systemschool_fees_payment_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7367
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 30.36%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 21:00
Updated-09 Aug, 2024 | 11:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple Realtime Quiz System ajax.php cross-site request forgery

A vulnerability, which was classified as problematic, was found in SourceCodester Simple Realtime Quiz System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273351.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-simple_realtime_quiz_systemSimple Realtime Quiz Systemsimple_realtime_quiz_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-7460
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 30.36%
||
7 Day CHG~0.00%
Published-04 Aug, 2024 | 23:00
Updated-06 Aug, 2024 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OSWAPP Warehouse Inventory System change_password.php cross-site request forgery

A vulnerability was found in OSWAPP Warehouse Inventory System 1.0/2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /change_password.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273553 was assigned to this vulnerability.

Action-Not Available
Vendor-siamonhasanOSWAPPoswapp
Product-warehouse_inventory_systemWarehouse Inventory Systemwarehouse_inventory_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6855
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.06%
||
7 Day CHG~0.00%
Published-08 Sep, 2024 | 06:00
Updated-11 Sep, 2024 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP MultiTasking <= 0.1.12 - Exit Popup Update via CSRF

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack

Action-Not Available
Vendor-ngothangUnknownthangnv27
Product-wp_multitaskingWP MultiTaskingwp_multitasking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6649
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.14% / 33.27%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 18:31
Updated-17 Oct, 2024 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Employee and Visitor Gate Pass Logging System Users.php save_users cross-site request forgery

A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is the function save_users of the file Users.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271057 was assigned to this vulnerability.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-employee_and_visitor_gate_pass_logging_systemEmployee and Visitor Gate Pass Logging Systememployee_visitor_gatepass_logging_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1383
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.93%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 11:11
Updated-19 Mar, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Podlove Podcast Publisher <= 4.2.2 - Cross-Site Request Forgery via ajax_transcript_delete Function

The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.2. This is due to missing or incorrect nonce validation on the ajax_transcript_delete() function. This makes it possible for unauthenticated attackers to delete arbitrary episode transcripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-podloveeteubert
Product-podlove_podcast_publisherPodlove Podcast Publisher
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-5808
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.81%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 06:00
Updated-28 May, 2025 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Ajax Contact Form <= 2.2.2 - Arbitrary Email Deletion via CSRF

The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Action-Not Available
Vendor-masdiblogsUnknownolaf_lederer
Product-wp_ajax_contact_formWP Ajax Contact Formajax_contact_form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-5804
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.99%
||
7 Day CHG~0.00%
Published-20 Jul, 2024 | 02:02
Updated-01 Aug, 2024 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Conditional Fields for Contact Form 7 <= 2.4.13 - Cross-Site Request Forgery to Plugin Setting Reset

The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-jules-colle
Product-Conditional Fields for Contact Form 7
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-46862
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 38.77%
||
7 Day CHG+0.02%
Published-14 Feb, 2023 | 11:26
Updated-13 Jan, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Quiz And Survey Master Plugin <= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions.

Action-Not Available
Vendor-expresstechExpressTech
Product-quiz_and_survey_masterQuiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4564
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.78%
||
7 Day CHG~0.00%
Published-16 Dec, 2022 | 00:00
Updated-15 Apr, 2025 | 13:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
University of Central Florida Materia API Controller api.php before cross-site request forgery

A vulnerability classified as problematic has been found in University of Central Florida Materia up to 9.0.0. This affects the function before of the file fuel/app/classes/controller/api.php of the component API Controller. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 9.0.1-alpha1 is able to address this issue. The name of the patch is af259115d2e8f17068e61902151ee8a9dbac397b. It is recommended to upgrade the affected component. The identifier VDB-215973 was assigned to this vulnerability.

Action-Not Available
Vendor-ucfUniversity of Central Florida
Product-materiaMateria
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-1320
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 8.67%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 07:04
Updated-11 Aug, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete

The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mtrvwinkm89
Product-teachpressteachPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-14165
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.16%
||
7 Day CHG~0.00%
Published-12 Dec, 2025 | 03:20
Updated-15 Dec, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update

The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-developerke
Product-Kirim.Email WooCommerce Integration
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-6628
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.85%
||
7 Day CHG~0.00%
Published-16 Nov, 2024 | 03:20
Updated-31 Mar, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.9 - Cross-Site Request Forgery

The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.9.9. This is due to missing or incorrect nonce validation when deleting form submissions. This makes it possible for unauthenticated attackers to delete form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-theinnovscscode
Product-eleformsEleForms – All In One Form Integration including DB for Elementor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 41
  • 42
  • Next
Details not found