The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'save_settings' function. This makes it possible for unauthenticated attackers to modify the theme's settings, including enabling a setting which allows lower-privileged users such as contributors to perform code execution, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
Cross-Site Request Forgery (CSRF) vulnerability in www.15.to QR Code Tag for WC allows Cross Site Request Forgery. This issue affects QR Code Tag for WC: from n/a through 1.9.36.
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.
CSRF in admin/manage-departments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a department via a crafted request.
CSRF in admin/reply-ticket.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to reply to any ticket, given the id, via a crafted request.
Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <=Ā 1.2.9 versions.
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Better Notifications for WP plugin <=Ā 1.9.2 versions.
Cross-Site Request Forgery (CSRF) vulnerability in freetobook Freetobook Responsive Widget allows Cross Site Request Forgery. This issue affects Freetobook Responsive Widget: from n/a through 1.1.
Cross-Site Request Forgery (CSRF) vulnerability in Robert D Payne RDP Wiki Embed allows Cross Site Request Forgery. This issue affects RDP Wiki Embed: from n/a through 1.2.20.
The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'reset_settings' function. This makes it possible for unauthenticated attackers to reset the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
Cross-Site Request Forgery (CSRF) vulnerability in Labinator Labinator Content Types Duplicator allows Cross Site Request Forgery. This issue affects Labinator Content Types Duplicator: from n/a through 1.1.3.
Cross-Site Request Forgery (CSRF) vulnerability in bsndev Ultimate Security Checker allows Cross Site Request Forgery. This issue affects Ultimate Security Checker: from n/a through 4.2.
Cross-Site Request Forgery (CSRF) vulnerability in Nitin Prakash Product Author for WooCommerce allows Cross Site Request Forgery. This issue affects Product Author for WooCommerce: from n/a through 1.0.7.
Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog Remote Image Autosave allows Cross Site Request Forgery. This issue affects Hacklog Remote Image Autosave: from n/a through 2.1.0.
Cross-Site Request Forgery (CSRF) vulnerability in Saso Serial Codes Generator and Validator with WooCommerce Support allows Cross Site Request Forgery. This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.7.7.
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
Cross-Site Request Forgery (CSRF) vulnerability in pixolette Christmas Panda allows Cross Site Request Forgery. This issue affects Christmas Panda: from n/a through 1.0.4.
Cross-Site Request Forgery (CSRF) vulnerability in Codehaveli Bitly URL Shortener allows Cross Site Request Forgery. This issue affects Bitly URL Shortener: from n/a through 1.3.3.
Cross-Site Request Forgery (CSRF) vulnerability in weblizar HR Management Lite allows Cross Site Request Forgery. This issue affects HR Management Lite: from n/a through 3.3.
Cross-site request forgery (CSRF) vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to hijack the authentication of administrators via a specially crafted URL.
Cross-Site Request Forgery (CSRF) vulnerability in Yummly Yummly Rich Recipes allows Cross Site Request Forgery. This issue affects Yummly Rich Recipes: from n/a through 4.2.
Cross-Site Request Forgery (CSRF) vulnerability in flyaga Fix Rss Feeds allows Cross Site Request Forgery. This issue affects Fix Rss Feeds: from n/a through 3.1.
Cross-Site Request Forgery (CSRF) vulnerability in Abu Bakar TWB Woocommerce Reviews allows Cross Site Request Forgery. This issue affects TWB Woocommerce Reviews: from n/a through 1.7.7.
Cross-Site Request Forgery (CSRF) vulnerability in Hakik Zaman Custom Login Logo allows Cross Site Request Forgery. This issue affects Custom Login Logo: from n/a through 1.1.7.
Cross-Site Request Forgery (CSRF) vulnerability in Musa AVCI Ćnceki Yazı Link allows Cross Site Request Forgery. This issue affects Ćnceki Yazı Link: from n/a through 1.3.
Cross-Site Request Forgery (CSRF) vulnerability in Fastmover Plugins Last Updated Column allows Cross Site Request Forgery. This issue affects Plugins Last Updated Column: from n/a through 0.1.3.
The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request that they did not intend. The request uses the victim's browser's saved authorization to execute the request.
Cross-Site Request Forgery (CSRF) vulnerability in Skrill_Team Skrill Official allows Cross Site Request Forgery. This issue affects Skrill Official: from n/a through 1.0.65.
The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
IBM Financial Transaction Manager 3.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 172706.
A vulnerability has been found in DedeCMS 5.7 and classified as problematic. This vulnerability affects unknown code of the file /src/dede/shops_delivery.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263308. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to bypass security restrictions, caused by improper validation and management of authentication cookies. By modifying the CSRF token and Session Id cookie parameters using the cookies of another user, a remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the vulnerable application.