Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-42553

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-20 Aug, 2024 | 00:00
Updated At-20 Aug, 2024 | 15:55
Rejected At-
Credits

A Cross-Site Request Forgery (CSRF) in the component admin_room_added.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:20 Aug, 2024 | 00:00
Updated At:20 Aug, 2024 | 15:55
Rejected At:
▼CVE Numbering Authority (CNA)

A Cross-Site Request Forgery (CSRF) in the component admin_room_added.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/topsky979/4b22a22c73b16c7c22c06d4b3f033fdc
N/A
Hyperlink: https://gist.github.com/topsky979/4b22a22c73b16c7c22c06d4b3f033fdc
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
vaibhavverma9999
Product
hotel_management_system
CPEs
  • cpe:2.3:a:vaibhavverma9999:hotel_management_system:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before * (custom)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:20 Aug, 2024 | 13:15
Updated At:05 Jun, 2025 | 20:19

A Cross-Site Request Forgery (CSRF) in the component admin_room_added.php of Hotel Management System commit 91caab8 allows attackers to escalate privileges.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
vaibhavverma9999
vaibhavverma9999
>>hotel_management_system>>Versions up to 2020-06-10(inclusive)
cpe:2.3:a:vaibhavverma9999:hotel_management_system:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-352
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/topsky979/4b22a22c73b16c7c22c06d4b3f033fdccve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://gist.github.com/topsky979/4b22a22c73b16c7c22c06d4b3f033fdc
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

2376Records found
CVE-2023-24414
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.85%
||
7 Day CHG~0.00%
Published-20 May, 2023 | 22:08
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Robo Gallery Plugin <= 3.2.11 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.11 versions.

Action-Not Available
Vendor-robosoftRoboSoft
Product-robogalleryPhoto Gallery, Images, Slider in Rbs Image Gallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24395
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 25.62%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 10:40
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 Redirect & Thank You Page Plugin <= 1.0.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 Redirect & Thank You Page plugin <= 1.0.3 versions.

Action-Not Available
Vendor-wppluginScott Paterson
Product-contact_form_7_redirect_\&_thank_you_pageContact Form 7 Redirect & Thank You Page
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6391
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.10% / 26.36%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 14:44
Updated-29 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom User CSS <= 0.2 - Settings Update via CSRF

The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-jeremiahoremUnknown
Product-custom_user_cssCustom User CSS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25481
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.78%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 12:26
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Podlove Subscribe button Plugin <= 1.3.7 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions.

Action-Not Available
Vendor-podlovePodlove
Product-podlove_subscribe_buttonPodlove Subscribe button
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6671
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-6.3||MEDIUM
EPSS-0.06% / 19.69%
||
7 Day CHG~0.00%
Published-11 Dec, 2023 | 13:53
Updated-02 Aug, 2024 | 08:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery on OPEN JOURNAL SYSTEMS

A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Action-Not Available
Vendor-openjournalsystemsOPEN JOURNAL SYSTEMS
Product-open_journal_systemsOPEN JOURNAL SYSTEMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6946
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.13% / 32.37%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 14:44
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF

The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-unalignedcodeUnknown
Product-autotitleAutotitle for WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6689
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.2||HIGH
EPSS-0.06% / 17.32%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 23:20
Updated-25 Feb, 2026 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery in EFACEC BCU 500

A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application.

Action-Not Available
Vendor-efacecEFACEC
Product-bcu_500bcu_500_firmwareBCU 500
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25033
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.06% / 17.23%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 12:49
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social Share Boost Plugin <= 4.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Sumo Social Share Boost plugin <= 4.5 versions.

Action-Not Available
Vendor-sumoSumo
Product-social_share_boostSocial Share Boost
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6676
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-8.8||HIGH
EPSS-0.08% / 22.58%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 13:07
Updated-21 Aug, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Request Forgery in National Keep's CyberMath

Cross-Site Request Forgery (CSRF) vulnerability in National Keep Cyber Security Services CyberMath allows Cross Site Request Forgery.This issue affects CyberMath: from v1.4 before v1.5.

Action-Not Available
Vendor-nationalkeepNational Keep Cyber Security Servicesnationalkeep
Product-cybermathCyberMathcybermath
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25467
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.78%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 14:02
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Resize at Upload Plus Plugin <= 1.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Daniel Mores, A. Huizinga Resize at Upload Plus plugin <= 1.3 versions.

Action-Not Available
Vendor-resize_at_upload_plus_projectDaniel Mores, A. Huizinga
Product-resize_at_upload_plusResize at Upload Plus
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25025
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.43%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 13:24
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP-CopyProtect [Protect your blog posts] Plugin <= 3.1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole WP-CopyProtect [Protect your blog posts] plugin <= 3.1.0 versions.

Action-Not Available
Vendor-chetangoleChetan Gole
Product-wp-copyprotect_\[protect_your_blog_posts\]WP-CopyProtect [Protect your blog posts]
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2528
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.33% / 56.06%
||
7 Day CHG+0.18%
Published-16 May, 2023 | 23:35
Updated-08 Apr, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form by Supsystic <= 1.7.24 - Cross-Site Request Forgery via AJAX action

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-supsysticsupsysticcom
Product-contact_formContact Form by Supsystic
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-53751
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.28%
||
7 Day CHG~0.00%
Published-02 Dec, 2024 | 13:48
Updated-28 Apr, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Build App Online plugin <= 1.0.23 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in hakeemnala Build App Online build-app-online allows Cross Site Request Forgery.This issue affects Build App Online: from n/a through <= 1.0.23.

Action-Not Available
Vendor-buildapphakeemnala
Product-build_app_onlineBuild App Online
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24446
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.12% / 29.80%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

Action-Not Available
Vendor-Jenkins
Product-openidJenkins OpenID Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24447
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.08% / 24.48%
||
7 Day CHG~0.00%
Published-24 Jan, 2023 | 00:00
Updated-02 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

Action-Not Available
Vendor-Jenkins
Product-rabbitmq_consumerJenkins RabbitMQ Consumer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6390
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.10% / 26.36%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 14:44
Updated-20 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Users <= 1.4 - Settings Update via CSRF

The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-jonathonkempUnknown
Product-wordpress_usersWordPress Users
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6196
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-20 Nov, 2023 | 14:34
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload

The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-myaudiomerchantAudio Merchant
Product-audio_merchantAudio Merchant
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-6497
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.5||HIGH
EPSS-0.09% / 25.86%
||
7 Day CHG~0.00%
Published-15 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 06:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

Remote Cross-site Request forgery (CSRF) potential has been identified in UCMBD Server version DDM Content Pack V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND which could allow for remote unsafe deserialization and cross-site request forgery (CSRF).

Action-Not Available
Vendor-Micro Focus International Limited
Product-universal_cmbd_servercms_serverUniversal CMDB ServerCMS Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-24415
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 27.81%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 15:03
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress AI ChatBot plugin <= 4.2.8 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions.

Action-Not Available
Vendor-quantumcloudQuantumCloud
Product-chatbotAI ChatBot
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25066
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 28.24%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 05:32
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FV Flowplayer Video Player Plugin <= 7.5.30.7212 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions.

Action-Not Available
Vendor-foliovisionFolioVision
Product-fv_flowplayer_video_playerFV Flowplayer Video Player
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25447
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 14:13
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ColorWay Theme <= 4.2.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Inkthemescom ColorWay theme <= 4.2.3 versions.

Action-Not Available
Vendor-inkthemesInkthemescom
Product-colorwayColorWay
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25448
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.78%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 14:20
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Archivist – Custom Archive Templates Plugin <= 1.7.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions.

Action-Not Available
Vendor-archivist_projectEric Teubert
Product-archivistArchivist – Custom Archive Templates
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-39472
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 24.81%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 17:15
Updated-12 May, 2026 | 00:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Social Login plugin < 2.8.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in wpweb WooCommerce Social Login woo-social-login allows Cross Site Request Forgery.This issue affects WooCommerce Social Login: from n/a through < 2.8.3.

Action-Not Available
Vendor-WPWeb Elite
Product-woocommerce_social_loginWooCommerce Social Login
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24405
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.07% / 20.78%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 11:58
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form 7 – PayPal & Stripe Add-on Plugin <= 1.9.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3 versions.

Action-Not Available
Vendor-wppluginScott Paterson
Product-paypal_\&_stripe_add-onContact Form 7 – PayPal & Stripe Add-on
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24159
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.11% / 28.77%
||
7 Day CHG~0.00%
Published-05 Apr, 2021 | 18:27
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

Action-Not Available
Vendor-rocklobsterUnknown
Product-contact_form_7Contact Form 7 Style
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2533
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-8.4||HIGH
EPSS-36.32% / 97.16%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 14:45
Updated-26 Feb, 2026 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-08-18||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
PaperCut MF/NG 22.0.10 (Build 65996 2023-03-27) - Remote code execution via CSRF

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.

Action-Not Available
Vendor-PaperCut Software Pty Ltd
Product-papercut_ngpapercut_mfPaperCut NG/MFNG/MF
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6137
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 30.95%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 12:50
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Frontier Post Plugin <= 6.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in finnj Frontier Post allows Cross Site Request Forgery.This issue affects Frontier Post: from n/a through 6.1.

Action-Not Available
Vendor-wpfrontierfinnj
Product-frontier_postFrontier Post
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25463
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 28.24%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 10:27
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress wp tell a friend popup form Plugin <= 7.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Gopi Ramasamy WP tell a friend popup form plugin <= 7.1 versions.

Action-Not Available
Vendor-gopiplusGopi Ramasamy
Product-wp-tell-a-friend-popup-formWP tell a friend popup form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-44117
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.64% / 70.86%
||
7 Day CHG~0.00%
Published-10 Jun, 2022 | 12:35
Updated-04 Aug, 2024 | 04:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.

Action-Not Available
Vendor-thedaylightstudion/a
Product-fuel_cmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5820
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.6||CRITICAL
EPSS-0.10% / 27.52%
||
7 Day CHG~0.00%
Published-27 Oct, 2023 | 11:28
Updated-05 Feb, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the addedit functionality. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-i13websolutionnik00726
Product-thumbnail_slider_with_lightboxThumbnail Slider With Lightbox
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-23227
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 28.36%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 20:27
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PHP Everywhere Plugin <= 2.0.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions.

Action-Not Available
Vendor-php_everywhere_projectAlexander Fuchs
Product-php_everywherePHP Everywhere (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24384
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.01%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 14:55
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Organization chart Plugin <= 1.4.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions.

Action-Not Available
Vendor-WpDevArt
Product-organization_chartOrganization chart
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25473
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.06% / 17.86%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 11:33
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Flickr Justified Gallery Plugin <= 3.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Miro Mannino Flickr Justified Gallery plugin <= 3.5 versions.

Action-Not Available
Vendor-flickr_justified_gallery_projectMiro Mannino
Product-flickr_justified_galleryFlickr Justified Gallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25470
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 13:51
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Rus-To-Lat Plugin <= 0.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Anton Skorobogatov Rus-To-Lat plugin <= 0.3 versions.

Action-Not Available
Vendor-rus-to-lat_projectAnton Skorobogatov
Product-rus-to-latRus-To-Lat
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25449
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 11:58
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress CformsII Plugin <=15.0.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions.

Action-Not Available
Vendor-cformsii_projectOliver Seidel, Bastian Germann
Product-cformsiicformsII
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5602
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.89%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 07:29
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Cross-Site Request Forgery

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-ultimatelysocialinisev
Product-social_media_share_buttons_\&_social_sharing_iconsSocial Media Share Buttons & Social Sharing Icons
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5690
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 60.45%
||
7 Day CHG+0.03%
Published-20 Oct, 2023 | 16:22
Updated-11 Sep, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

Action-Not Available
Vendor-modoboamodoboamodoboa
Product-modoboamodoboa/modoboamodoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5882
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.76% / 73.45%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 20:08
Updated-21 Nov, 2024 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.

Action-Not Available
Vendor-UnknownSoflyy
Product-wp_all_exportexport_any_wordpress_data_to_xml\/csvWP All Export ProExport any WordPress data to XML/CSV
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-24377
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.40%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 11:18
Updated-28 Apr, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Ecwid Shopping Cart Plugin <= 6.11.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart plugin <= 6.11.3 versions.

Action-Not Available
Vendor-lightspeedhqEcwid Ecommerce
Product-ecwid_ecommerce_shopping_cartEcwid Ecommerce Shopping Cart
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6022
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.8||HIGH
EPSS-0.18% / 38.55%
||
7 Day CHG~0.00%
Published-16 Nov, 2023 | 16:07
Updated-02 Aug, 2024 | 08:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in prefecthq/prefect

Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.

Action-Not Available
Vendor-prefectprefecthq
Product-prefectprefecthq/prefect
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5893
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.05% / 15.46%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-27 Feb, 2025 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Action-Not Available
Vendor-sfupkp
Product-pkp_web_application_librarypkp/pkp-lib
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-51669
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 41.85%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 22:04
Updated-11 May, 2026 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Dynamic Widgets plugin <= 1.6.4 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Kalmang Dynamic Widgets dynamic-widgets.This issue affects Dynamic Widgets: from n/a through <= 1.6.4.

Action-Not Available
Vendor-vivwebsolutionsKalmang
Product-dynamic_widgetsDynamic Widgets
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-25487
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-11 Jul, 2023 | 07:25
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PixTypes Plugin <= 1.4.14 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade PixTypes plugin <= 1.4.14 versions.

Action-Not Available
Vendor-pixelgradePixelgrade
Product-pixtypesPixTypes
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2552
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.8||HIGH
EPSS-0.20% / 41.95%
||
7 Day CHG+0.01%
Published-05 May, 2023 | 00:00
Updated-12 Feb, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in unilogies/bumsys

Cross-Site Request Forgery (CSRF) in GitHub repository unilogies/bumsys prior to 2.1.1.

Action-Not Available
Vendor-bumsys_projectunilogies
Product-bumsysunilogies/bumsys
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2497
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.18% / 38.75%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
UserPro <= 5.1.0 - Cross-Site Request Forgery to PHP Object Injection

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-userpropluginn/a
Product-userproUserPro - Community and User Profile WordPress Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5886
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.75% / 73.31%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 20:07
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.

Action-Not Available
Vendor-UnknownSoflyy
Product-wp_all_exportexport_any_wordpress_data_to_xml\/csvWP All Export ProExport any WordPress data to XML/CSV
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5756
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 16.82%
||
7 Day CHG~0.00%
Published-09 Dec, 2023 | 06:51
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digital Publications by Supsystic <= 1.7.6 - Cross-Site Request Forgery via AJAX action

The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-supsysticsupsysticcom
Product-digital_publications_by_supsysticWordPress Flipbook by Supsystic
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5899
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.05% / 15.46%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-27 Feb, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Action-Not Available
Vendor-pkppkp
Product-pkp_web_application_librarypkp/pkp-lib
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5803
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.92%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 15:57
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Business Directory Plugin Plugin <= 6.3.10 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin – Easy Listing Directories for WordPress allows Cross-Site Request Forgery.This issue affects Business Directory Plugin – Easy Listing Directories for WordPress: from n/a through 6.3.10.

Action-Not Available
Vendor-Strategy11
Product-business_directoryBusiness Directory Plugin – Easy Listing Directories for WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-36728
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 8.67%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 16:42
Updated-26 Aug, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimpleHelp Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.11.

Action-Not Available
Vendor-simple-helpSimplehelp
Product-simplehelpSimplehelp
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 47
  • 48
  • Next
Details not found