Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-6751

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-24 Jul, 2024 | 02:33
Updated At-01 Aug, 2024 | 21:41
Rejected At-
Credits

Social Auto Poster <= 5.3.14 - Cross-Site Request Forgery via Multiple Functions

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:24 Jul, 2024 | 02:33
Updated At:01 Aug, 2024 | 21:41
Rejected At:
▼CVE Numbering Authority (CNA)
Social Auto Poster <= 5.3.14 - Cross-Site Request Forgery via Multiple Functions

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

Affected Products
Vendor
WPWeb EliteWPWeb
Product
Social Auto Poster
Default Status
unaffected
Versions
Affected
  • From * through 5.3.14 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
István Márton
Timeline
EventDate
Discovered2024-07-15 00:00:00
Vendor Notified2024-07-15 00:00:00
Disclosed2024-07-23 00:00:00
Event: Discovered
Date: 2024-07-15 00:00:00
Event: Vendor Notified
Date: 2024-07-15 00:00:00
Event: Disclosed
Date: 2024-07-23 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cve
N/A
https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cve
Resource: N/A
Hyperlink: https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cve
x_transferred
https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cve
Resource:
x_transferred
Hyperlink: https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:24 Jul, 2024 | 03:15
Updated At:03 Sep, 2024 | 21:39

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Secondary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CPE Matches
WPWeb Elite
wpwebinfotech
>>social_auto_poster>>Versions before 5.3.15(exclusive)
cpe:2.3:a:wpwebinfotech:social_auto_poster:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE-352Secondarysecurity@wordfence.com
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-352
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169security@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cvesecurity@wordfence.com
Third Party Advisory
Hyperlink: https://codecanyon.net/item/social-auto-poster-wordpress-scheduler-marketing-plugin/5754169
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/d7aceccc-7004-42f2-b085-eade9c45141c?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

557Records found
CVE-2024-35550
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 21.01%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 13:38
Updated-25 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoWeb_deal.php?mudi=rev.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-23671
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.06% / 19.16%
||
7 Day CHG~0.00%
Published-11 Jul, 2023 | 11:22
Updated-02 Aug, 2024 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Layer Slider Plugin <= 1.1.9.7 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Muneeb Layer Slider plugin <= 1.1.9.7 versions.

Action-Not Available
Vendor-web-settlerMuneeb
Product-layer_sliderLayer Slider
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-23973
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.63%
||
7 Day CHG~0.00%
Published-01 Mar, 2023 | 12:49
Updated-13 Jan, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Us page - Contact people LITE Plugin <= 3.7.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Contact Us Page – Contact People plugin <= 3.7.0.

Action-Not Available
Vendor-a3reva3rev Software
Product-contact_us_page_-_contact_peopleContact Us Page – Contact People
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-19264
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 30.92%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 17:44
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) in MipCMS v5.0.1 allows attackers to arbitrarily add users via index.php?s=/user/ApiAdminUser/itemAdd.

Action-Not Available
Vendor-mipcmsn/a
Product-mipcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2405
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.06% / 17.21%
||
7 Day CHG~0.00%
Published-03 Jun, 2023 | 04:35
Updated-20 Dec, 2024 | 23:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-vcitavcita
Product-crm_and_lead_management_by_vcitaCRM and Lead Management by vcita
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2307
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.7||MEDIUM
EPSS-0.05% / 14.82%
||
7 Day CHG~0.00%
Published-26 Apr, 2023 | 00:00
Updated-31 Jan, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in builderio/qwik

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

Action-Not Available
Vendor-builderbuilderio
Product-qwikbuilderio/qwik
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-22852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.95%
||
7 Day CHG~0.00%
Published-14 Jan, 2023 | 00:00
Updated-07 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.

Action-Not Available
Vendor-tikin/a
Product-tikin/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-21139
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.19%
||
7 Day CHG~0.00%
Published-04 Nov, 2021 | 19:09
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.

Action-Not Available
Vendor-ec_cloud_e-commerce_system_projectn/a
Product-ec_cloud_e-commerce_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-2179
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.20%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 12:15
Updated-24 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

Action-Not Available
Vendor-UnknownWooCommerce
Product-woocommerce_order_status_change_notifierWooCommerce Order Status Change Notifier
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2023-22681
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.91%
||
7 Day CHG~0.00%
Published-20 Mar, 2023 | 10:56
Updated-10 Jan, 2025 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Online Exam Software : eExamhall Plugin <= 4.0 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Aarvanshinfotech Online Exam Software: eExamhall plugin <= 4.0 versions.

Action-Not Available
Vendor-online_exam_software_\Aarvanshinfotech
Product-_eexamhall_projectOnline Exam Software : eExamhall
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-20468
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.19%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 04:00
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.

Action-Not Available
Vendor-white_shark_systems_projectn/a
Product-white_shark_systemsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-17901
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.16% / 37.53%
||
7 Day CHG~0.00%
Published-30 Nov, 2020 | 18:22
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) in PbootCMS 1.3.2 allows attackers to change the password of a user.

Action-Not Available
Vendor-pbootcmsn/a
Product-pbootcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-2091
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.84%
||
7 Day CHG~0.00%
Published-11 Jul, 2022 | 12:57
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cache Images < 3.2.1 - Image Upload / Import via CSRF

The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack.

Action-Not Available
Vendor-cache_images_projectUnknown
Product-cache_imagesCache Images
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-20650
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.90%
||
7 Day CHG~0.00%
Published-12 Feb, 2021 | 06:15
Updated-03 Aug, 2024 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RMWH2 allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started.

Action-Not Available
Vendor-Elecom Co., Ltd.
Product-ncc-ewf100rmwh2ncc-ewf100rmwh2_firmwareNCC-EWF100RMWH2
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1624
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 18:30
Updated-04 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

Action-Not Available
Vendor-UnknownWPCode, LLC (WPCode)
Product-wpcodeWPCode
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0438
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.08%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1330
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 28.14%
||
7 Day CHG~0.00%
Published-03 Apr, 2023 | 14:38
Updated-14 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection < 1.1.4 - Redirect Creation via CSRF

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

Action-Not Available
Vendor-inisevUnknown
Product-redirectionRedirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0502
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.97%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF

The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Action-Not Available
Vendor-UnknownHasTech IT Limited (HasThemes)
Product-wp_newsWP News
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0735
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.11%
||
7 Day CHG~0.00%
Published-07 Feb, 2023 | 00:00
Updated-25 Mar, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in wallabag/wallabag

Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.

Action-Not Available
Vendor-wallabagwallabag
Product-wallabagwallabag/wallabag
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1331
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-17 Apr, 2023 | 12:17
Updated-06 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Redirection < 1.1.5 - Plugin Reset via CSRF

The Redirection WordPress plugin before 1.1.5 does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack.

Action-Not Available
Vendor-inisevUnknown
Product-redirectionRedirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-18889
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 36.28%
||
7 Day CHG~0.00%
Published-06 May, 2021 | 16:54
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in puppyCMS v5.1 that can change the admin's password via /admin/settings.php.

Action-Not Available
Vendor-puppycmsn/a
Product-puppycmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-1092
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.59%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:39
Updated-19 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OAuth Single Sign On - SSO (OAuth Client) - IdP Deletion via CSRF

The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack

Action-Not Available
Vendor-miniorangeMiniOrange
Product-oauth_single_sign_onOAuth Single Sign On EnterpriseOAuth Single Sign On StandardOAuth Single Sign On PremiumOAuth Single Sign On Free
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0674
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 16.30%
||
7 Day CHG~0.00%
Published-04 Feb, 2023 | 07:34
Updated-02 Aug, 2024 | 05:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XXL-JOB New Password updatePwd cross-site request forgery

A vulnerability, which was classified as problematic, has been found in XXL-JOB 2.3.1. Affected by this issue is some unknown functionality of the file /user/updatePwd of the component New Password Handler. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220196.

Action-Not Available
Vendor-n/aXuxueli
Product-xxl-jobXXL-JOB
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-18151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.53%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 18:18
Updated-04 Aug, 2024 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.

Action-Not Available
Vendor-thinkcmfn/a
Product-thinkcmfn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0522
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.54%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 13:58
Updated-04 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enable/Disable Auto Login when Register <= 1.1.0 - Settings Update via CSRF

The Enable/Disable Auto Login when Register WordPress plugin through 1.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-enable\/disable_auto_login_when_register_projectUnknown
Product-enable\/disable_auto_login_when_registerEnable/Disable Auto Login when Register
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0500
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.97%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 15:37
Updated-19 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF

The WP Film Studio WordPress plugin before 1.3.5 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Action-Not Available
Vendor-UnknownHasTech IT Limited (HasThemes)
Product-wp_film_studioWP Film Studio
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-15600
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 32.23%
||
7 Day CHG~0.00%
Published-07 Jul, 2020 | 21:17
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.

Action-Not Available
Vendor-cmsuno_projectn/a
Product-cmsunon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-0398
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.74%
||
7 Day CHG~0.00%
Published-19 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in modoboa/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Action-Not Available
Vendor-modoboamodoboa
Product-modoboamodoboa/modoboa
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9437
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.69%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 01:18
Updated-27 Nov, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

Action-Not Available
Vendor-vivwebsolutionsn/a
Product-dynamic_widgetsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9429
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.60%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 00:52
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.

Action-Not Available
Vendor-n/aYour Inspiration Solutions S.L.U. (YITH) (YITHEMES)
Product-yith_maintenance_moden/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-15695
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.01% / 0.25%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 15:50
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Joomla! through 3.9.19. A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9432
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 38.69%
||
7 Day CHG~0.00%
Published-26 Sep, 2019 | 01:07
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The alpine-photo-tile-for-instagram plugin before 1.2.7.6 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings tab parameter.

Action-Not Available
Vendor-thealpinepressn/a
Product-alpine-photo-tile-for-instagramn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4888
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.41% / 60.45%
||
7 Day CHG~0.00%
Published-31 Jul, 2023 | 09:37
Updated-17 Oct, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Plugins from Addify - Multiple CSRF

The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration Forms Builder WordPress plugin before 1.0.2, Advanced Free Gifts WordPress plugin before 1.0.2, Gift Registry for WooCommerce WordPress plugin through 1.0.1, Image Watermark for WooCommerce WordPress plugin before 1.0.1, Order Approval for WooCommerce WordPress plugin before 1.1.0, Order Tracking for WooCommerce WordPress plugin before 1.0.2, Price Calculator for WooCommerce WordPress plugin through 1.0.3, Product Dynamic Pricing and Discounts WordPress plugin through 1.0.6, Product Labels and Stickers WordPress plugin through 1.0.1 have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions

Action-Not Available
Vendor-addifyUnknownaddify
Product-gift_registry_for_woocommerceorder_tracking_for_woocommercecustom_order_numbercustom_registration_forms_buildercheckout_fields_manageradvanced_free_giftscustom_fields_for_woocommerceimage_watermark_for_woocommerceorder_approval_for_woocommerceabandoned_cart_recoveryGift Registry for WooCommerceCheckout Fields ManagerCustom Fields for WooCommerceCustom Order NumberProduct Dynamic Pricing and DiscountsAdvanced Free GiftsPrice Calculator for WooCommerceProduct Labels and StickersAbandoned Cart RecoveryCustom Registration Forms BuilderOrder Approval for WooCommerceOrder Tracking for WooCommerceImage Watermark for WooCommercegift_registry_for_woocommerceorder_tracking_for_woocommercecustom_order_numbercustom_registration_forms_buildercheckout_fields_manageradvanced_free_giftscustom_fields_for_woocommerceimage_watermark_for_woocommerceproduct_labels_and_stickersprice_calculator_for_woocommerceorder_approval_for_woocommerceabandoned_cart_recoveryproduct_dynamic_pricing_and_discounts
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-47609
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 20.48%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 08:56
Updated-09 Jan, 2025 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DNUI Plugin <= 2.8.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Nicearma DNUI plugin <= 2.8.1 versions.

Action-Not Available
Vendor-nicearmaNicearma
Product-dnui-delete-not-used-imageDNUI
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4766
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 17.60%
||
7 Day CHG~0.00%
Published-27 Dec, 2022 | 12:14
Updated-17 May, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
dolibarr_project_timesheet Form cross-site request forgery

A vulnerability was found in dolibarr_project_timesheet up to 4.5.5. It has been declared as problematic. This vulnerability affects unknown code of the component Form Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. Upgrading to version 4.5.6.a is able to address this issue. The name of the patch is 082282e9dab43963e6c8f03cfaddd7921de377f4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216880.

Action-Not Available
Vendor-dolibarr_project_timesheet_projectn/a
Product-dolibarr_project_timesheetdolibarr_project_timesheet
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4849
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.06% / 18.08%
||
7 Day CHG~0.00%
Published-29 Dec, 2022 | 00:00
Updated-09 Apr, 2025 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in usememos/memos

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-14369
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.11% / 30.90%
||
7 Day CHG~0.00%
Published-02 Dec, 2020 | 14:28
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-cloudformsCloudForms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4846
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 8.55%
||
7 Day CHG~0.00%
Published-29 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in usememos/memos

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-45824
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 13.95%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 11:07
Updated-20 Feb, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Booking Calendar Plugin <= 1.7.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

Action-Not Available
Vendor-elbtideAdvanced Booking Calendar
Product-advanced_booking_calendarAdvanced Booking Calendar
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-28682
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.12% / 32.06%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 00:00
Updated-01 Apr, 2025 | 13:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/sys_cache_up.php.

Action-Not Available
Vendor-n/aDedeCMS
Product-dedecmsn/adedecms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-1761
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.38%
||
7 Day CHG~0.00%
Published-13 Jun, 2022 | 12:42
Updated-03 Aug, 2024 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Peter’s Collaboration E-mails <= 2.2.0 - Arbitrary Settings Update via CSRF

The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.

Action-Not Available
Vendor-peter\'s_collaboration_e-mails_projectUnknown
Product-peter\'s_collaboration_e-mailsPeter’s Collaboration E-mails
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4443
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.12% / 31.20%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 14:31
Updated-02 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BruteBank - WP Security & Firewall < 1.9 - Settings Update via CSRF

The BruteBank WordPress plugin before 1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Action-Not Available
Vendor-brutebankUnknown
Product-brutebankBruteBank
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-1830
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.92%
||
7 Day CHG~0.00%
Published-20 Jun, 2022 | 10:26
Updated-03 Aug, 2024 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Amazon Einzeltitellinks <= 1.3.3 - Arbitrary Settings Update to Stored XSS via CSRF

The Amazon Einzeltitellinks WordPress plugin through 1.3.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

Action-Not Available
Vendor-amazon_einzeltitellinks_projectUnknown
Product-amazon_einzeltitellinksAmazon Einzeltitellinks
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-4548
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.91%
||
7 Day CHG~0.00%
Published-23 Jan, 2023 | 14:31
Updated-02 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF

The Optimize images ALT Text & names for SEO using AI WordPress plugin before 2.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Action-Not Available
Vendor-imageseoUnknown
Product-optimize_images_alt_text_\(alt_tag\)_\&_names_for_seo_using_aiOptimize images ALT Text (alt tag) & names for SEO using AI
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-45130
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 58.99%
||
7 Day CHG~0.00%
Published-10 Nov, 2022 | 00:00
Updated-01 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.

Action-Not Available
Vendor-n/aPlesk (WebPros International GmbH)
Product-obsidiann/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-1827
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.38%
||
7 Day CHG~0.00%
Published-20 Jun, 2022 | 10:26
Updated-03 Aug, 2024 | 00:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PDF24 Article To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF

The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-pdf24_articles_to_pdf_projectUnknown
Product-pdf24_articles_to_pdfPDF24 Article To PDF
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-27265
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.5||MEDIUM
EPSS-0.04% / 8.90%
||
7 Day CHG~0.00%
Published-14 Mar, 2024 | 18:37
Updated-02 Aug, 2024 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Integration Bus for z/OS cross-site request forgery

IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 284564.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-windowsintegration_buslinux_kernelz\/osIntegration Bus for z/OS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-1422
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.84%
||
7 Day CHG~0.00%
Published-06 Jun, 2022 | 08:50
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discy < 5.2 - Restore Default Settings via CSRF

The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.

Action-Not Available
Vendor-2codeUnknown
Product-discyDiscy
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-2843
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 14.93%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 06:00
Updated-29 May, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Customers Manager < 30.1 - User Deletion via CSRF

The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks

Action-Not Available
Vendor-UnknownWooCommerceVanquish
Product-woocommerce_customers_managerWooCommerce Customers Managerwoocommerce_customers_manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-20130
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 23.02%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-25 Oct, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_infrastructureevolved_programmable_network_managerCisco Prime Infrastructure
CWE ID-CWE-27
Path Traversal: 'dir/../../filename'
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 11
  • 12
  • Next
Details not found