Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-39437

Summary
Assigner-Patchstack
Assigner Org ID-21595511-bba5-4825-b968-b78d1f9984a3
Published At-17 Apr, 2025 | 15:16
Updated At-17 Apr, 2025 | 15:51
Rejected At-
Credits

WordPress Anthologize plugin <= 0.8.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Patchstack
Assigner Org ID:21595511-bba5-4825-b968-b78d1f9984a3
Published At:17 Apr, 2025 | 15:16
Updated At:17 Apr, 2025 | 15:51
Rejected At:
▼CVE Numbering Authority (CNA)
WordPress Anthologize plugin <= 0.8.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3.

Affected Products
Vendor
Boone Gorges
Product
Anthologize
Collection URL
https://wordpress.org/plugins
Package Name
anthologize
Default Status
unaffected
Versions
Affected
  • From n/a through 0.8.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-62CAPEC-62 Cross Site Request Forgery
CAPEC ID: CAPEC-62
Description: CAPEC-62 Cross Site Request Forgery
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Nabil Irawan (Patchstack Alliance)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://patchstack.com/database/wordpress/plugin/anthologize/vulnerability/wordpress-anthologize-plugin-0-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
vdb-entry
Hyperlink: https://patchstack.com/database/wordpress/plugin/anthologize/vulnerability/wordpress-anthologize-plugin-0-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Resource:
vdb-entry
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:audit@patchstack.com
Published At:17 Apr, 2025 | 16:15
Updated At:17 Apr, 2025 | 20:21

Cross-Site Request Forgery (CSRF) vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-352Primaryaudit@patchstack.com
CWE ID: CWE-352
Type: Primary
Source: audit@patchstack.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://patchstack.com/database/wordpress/plugin/anthologize/vulnerability/wordpress-anthologize-plugin-0-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cveaudit@patchstack.com
N/A
Hyperlink: https://patchstack.com/database/wordpress/plugin/anthologize/vulnerability/wordpress-anthologize-plugin-0-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Source: audit@patchstack.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2088Records found
CVE-2024-11673
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 38.89%
||
7 Day CHG~0.00%
Published-25 Nov, 2024 | 23:00
Updated-04 Dec, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1000 Projects Bookstore Management System cross-site request forgery

A vulnerability, which was classified as problematic, has been found in 1000 Projects Bookstore Management System 1.0. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-1000 PROJECTS
Product-bookstore_management_systemBookstore Management Systembookstore_management_system
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-11341
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.35%
||
7 Day CHG~0.00%
Published-05 Dec, 2024 | 09:23
Updated-05 Dec, 2024 | 11:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Redirection <= 1.5 - Cross-Site Request Forgery to Arbitrary Site Redirect

The Simple Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and redirect all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-ecolosites
Product-Simple Redirection
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10300
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.92%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 08:25
Updated-16 Oct, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TopBar <= 1.0.0 - Cross-Site Request Forgery to Settings Update

The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-fmeaddons
Product-TopBar
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10789
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 47.17%
||
7 Day CHG+0.19%
Published-16 Jan, 2025 | 03:27
Updated-16 Jan, 2025 | 15:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP User Profile Avatar <= 1.0.5 - Cross-Site Request Forgery to Settings Update

The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupa_user_admin() function. This makes it possible for unauthenticated attackers to update the plugins setting which controls access to the functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wpeventmanager
Product-WP User Profile Avatar
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-11125
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 49.38%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 14:31
Updated-15 Nov, 2024 | 23:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimpleCMS profile.php cross-site request forgery

A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-get-simplen/aget-simple
Product-getsimplecmsGetSimpleCMSgetsimplecms
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10309
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.24%
||
7 Day CHG-0.02%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PayPal Forms <= 1.0.3 - Cross-Site Request Forgery

The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and modify PayPal payment settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-bsmye
Product-PayPal Forms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10375
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.40%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 09:28
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web Accessibility By accessiBe <= 2.10 - Cross-Site Request Forgery

The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-accessibewp
Product-Web Accessibility by accessiBe
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10376
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.48%
||
7 Day CHG~0.00%
Published-11 Oct, 2025 | 09:28
Updated-14 Oct, 2025 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Course Redirects for Learndash Plugin <= 0.4 - Cross-Site Request Forgery

The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-ercbs
Product-Course Redirects for Learndash Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10480
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 50.23%
||
7 Day CHG+0.01%
Published-06 Dec, 2024 | 06:00
Updated-17 May, 2025 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
3DPrint Lite < 2.1 - Settings Update via CSRF

The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Action-Not Available
Vendor-wp3dprintingUnknownwp3dprinting
Product-3dprint_lite3DPrint Lite3dprint_lite
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10588
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 6.40%
||
7 Day CHG~0.00%
Published-22 Oct, 2025 | 06:40
Updated-18 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PixelYourSite <= 11.1.2 – Cross-Site Request Forgery to GDPR Options Modification

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-pixelyoursite
Product-PixelYourSite – Your smart PIXEL (TAG) & API Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10557
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 49.55%
||
7 Day CHG~0.00%
Published-31 Oct, 2024 | 01:00
Updated-23 Oct, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Blood Bank Management System updateprofile.php cross-site request forgery

A vulnerability has been found in code-projects Blood Bank Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /file/updateprofile.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Fabian RosSource Code & Projects
Product-blood_bank_management_systemBlood Bank Management Systemblood_bank_management_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10312
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 7.48%
||
7 Day CHG~0.00%
Published-15 Oct, 2025 | 08:25
Updated-16 Oct, 2025 | 15:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Theme Importer <= 1.0 - Cross-Site Request Forgery

The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-steve-forster
Product-Theme Importer
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10498
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.94%
||
7 Day CHG~0.00%
Published-27 Sep, 2025 | 02:25
Updated-23 Dec, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms – The Contact Form Builder That Grows With You <= 3.12.0 - Cross-Site Request Forgery to Limited File Deletion

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Saturday Drive, INC
Product-ninja_formsNinja Forms – The Contact Form Builder That Grows With You
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10593
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.89%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 02:33
Updated-10 Jul, 2025 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPForms – Easy Form Builder for WordPress <= 1.9.1.6 - Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-WPForms, LLCAwesome Motive Inc.
Product-wpformsWPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-10302
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.24%
||
7 Day CHG-0.02%
Published-03 Oct, 2025 | 11:17
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate Viral Quiz <= 1.0 - Cross-Site Request Forgery to Settings Update

The Ultimate Viral Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on thesave_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-hameha
Product-Ultimate Viral Quiz
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0796
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.89%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-01 Aug, 2024 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6.1. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-wootActive Products Tables for WooCommerce. Professional products tables for WooCommerce store 
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0880
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 52.65%
||
7 Day CHG~0.00%
Published-25 Jan, 2024 | 17:31
Updated-03 Jun, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Qidianbang qdbcrm Password Reset cross-site request forgery

A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/edit?id=2 of the component Password Reset. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252032. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-100296Qidianbang
Product-qdbcrmqdbcrm
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0768
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 42.28%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-08 Jan, 2025 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-envothemesenvothemes
Product-envo\'s_elementor_templates_\&_widgets_for_woocommerceEnvo&#039;s Elementor Templates & Widgets for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10581
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.35%
||
7 Day CHG~0.00%
Published-15 Feb, 2025 | 11:26
Updated-24 Feb, 2025 | 12:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DirectoryPress Frontend <= 2.7.9 - Cross-Site Request Forgery to Listing Status Update

The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfl_listingStatusChange() function. This makes it possible for unauthenticated attackers to update listing statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-designinventodesigninvento
Product-directorypressDirectoryPress Frontend
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10521
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.86%
||
7 Day CHG~0.00%
Published-27 Nov, 2024 | 11:03
Updated-19 Mar, 2025 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Forms by Cimatti <= 1.9.2 - Cross-Site Request Forgery via process_bulk_action Function

The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to delete forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-cimatticimatti
Product-wordpress_contact_formsWordPress Contact Forms by Cimatti
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-10040
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 30.48%
||
7 Day CHG~0.00%
Published-18 Oct, 2024 | 04:32
Updated-01 Nov, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Infinite-Scroll <= 2.6.2 - Cross-Site Request Forgery to Plugin Settings Update

The Infinite-Scroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation on the process_ajax_edit and process_ajax_delete function. This makes it possible for unauthenticated attackers to make changes to plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-infinite-scrollpaulirish-1
Product-infinite-scrollInfinite-Scroll
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9649
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.91%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 02:05
Updated-16 Oct, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP ULike <= 4.7.4 - Cross-Site Request Forgery to Statistic Deletion

The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or incorrect nonce validation on the wp_ulike_delete_history_api() function. This makes it possible for unauthenticated attackers to delete engagements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-alimir
Product-WP ULike – All-in-One Engagement Toolkit
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0790
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 25.22%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-01 Aug, 2024 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions. This makes it possible for unauthenticated attackers to create, modify and delete taxonomy terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Furthermore, the functions wpbe_save_options, wpbe_bulk_delete_posts_count, wpbe_bulk_delete_posts, and wpbe_save_meta are vulnerable to Cross-Site Request Forgery allowing for plugin options update, post count deletion, post deletion and modification of post metadata via forged request.

Action-Not Available
Vendor-PluginUs.Net (RealMag777)
Product-wolf_-_wordpress_posts_bulk_editor_and_products_manager_professionalWOLF – WordPress Posts Bulk Editor and Manager Professional
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-7038
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.23%
||
7 Day CHG-0.04%
Published-21 Dec, 2023 | 17:31
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
automad User Creation cross-site request forgery

A vulnerability was found in automad up to 1.10.9. It has been rated as problematic. This issue affects some unknown processing of the file /dashboard?controller=UserCollection::createUser of the component User Creation Handler. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248687. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-automadn/a
Product-automadautomad
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0373
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.08%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:22
Updated-01 Aug, 2024 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'save_view' function. This makes it possible for unauthenticated attackers to modify arbitrary post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-formviewswpaman086
Product-views_for_wpformsViews for WPForms – Display & Edit WPForms Entries on your site frontend
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0431
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.36%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-22 Apr, 2025 | 15:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-fabrickeasynolo
Product-gestpay_for_woocommerceGestpay for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0379
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-13.92% / 94.21%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-05 Feb, 2025 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Smash Balloon, LLC (Smash Balloon)
Product-custom_twitter_feedsCustom Twitter Feeds – A Tweets Widget or X Feed Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0660
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.10% / 26.89%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 21:21
Updated-24 Apr, 2025 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the update_settings function. This makes it possible for unauthenticated attackers to change form settings and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Strategy11
Product-formidable_formsFormidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-7092
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.59%
||
7 Day CHG~0.00%
Published-24 Dec, 2023 | 23:00
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uniway UW-302VP Admin Web Interface wlan_basic_set.cgi cross-site request forgery

A vulnerability was found in Uniway UW-302VP 2.0. It has been rated as problematic. This issue affects some unknown processing of the file /boaform/wlan_basic_set.cgi of the component Admin Web Interface. The manipulation of the argument wlanssid/password leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248939. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-uniwayinfoUniway
Product-uw-302vp_firmwareuw-302vpUW-302VP
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0514
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 42.28%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Jan, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the add_to_compare function. This makes it possible for unauthenticated attackers to add items to user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Royal Elementor Addons
Product-royal_elementor_addonsRoyal Elementor Addons and Templates
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0511
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 20.92%
||
7 Day CHG~0.00%
Published-08 Feb, 2024 | 05:33
Updated-01 Aug, 2024 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the wpr_update_form_action_meta function. This makes it possible for unauthenticated attackers to post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Royal Elementor Addons
Product-royal_elementor_addonsRoyal Elementor Addons and Templates
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0433
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.80%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 08:33
Updated-10 Feb, 2025 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default_card' function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-fabrickeasynolo
Product-gestpay_for_woocommerceGestpay for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9661
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.35%
||
7 Day CHG~0.00%
Published-07 Feb, 2025 | 15:21
Updated-18 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP All Import Pro <= 4.9.7 - Cross-Site Request Forgery to Imported Content Deletion

The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Soflyy
Product-WP All Import Pro
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9778
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.18%
||
7 Day CHG~0.00%
Published-12 Oct, 2024 | 05:39
Updated-25 Nov, 2024 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImagePress – Image Gallery <= 1.2.2 - Cross-Site Request Forgery to Plugin Settings Update

The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-getbutterflybutterflymedia
Product-imagepressImagePress – Image Gallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-7195
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.08%
||
7 Day CHG+0.01%
Published-15 May, 2025 | 20:09
Updated-11 Jun, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Reply Notify <= 1.1 - Settings Update via CSRF

The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Action-Not Available
Vendor-ani2lifeUnknown
Product-wp-reply_notifyWP-Reply Notify
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-0515
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.51%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-08 Jan, 2025 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the remove_from_compare function. This makes it possible for unauthenticated attackers to remove items from user compare lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-Royal Elementor Addons
Product-royal_elementor_addonsRoyal Elementor Addons and Templates
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-32289
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 28.25%
||
7 Day CHG~0.00%
Published-21 Jul, 2022 | 15:29
Updated-20 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Popup Builder plugin <= 4.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Popup Status Change

Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status change.

Action-Not Available
Vendor-sygnoosSygnoos
Product-popup_builderPopup Builder (WordPress plugin)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6625
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 13.21%
||
7 Day CHG~0.00%
Published-22 Jan, 2024 | 19:14
Updated-20 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF

The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack

Action-Not Available
Vendor-gravitymasterUnknown
Product-product_enquiry_for_woocommerceProduct Enquiry for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-7052
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 36.43%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 01:00
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Notes Sharing System profile.php cross-site request forgery

A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0. It has been classified as problematic. This affects an unknown part of the file /user/profile.php. The manipulation of the argument name leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-248739.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_notes_sharing_systemOnline Notes Sharing Systemonline_notes_sharing_system
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6633
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.00%
||
7 Day CHG-0.02%
Published-29 Jan, 2024 | 14:44
Updated-07 Aug, 2024 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Site Notes <= 2.0.0 - Admin Note Deletion via CSRF

The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks

Action-Not Available
Vendor-sidenotesprojectUnknownkc_computing
Product-side_notesSite Notessite_notes
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6984
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.06% / 19.37%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 08:29
Updated-03 Jun, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the powerpack-lite-for-elementor/classes/class-pp-admin-settings.php file. This makes it possible for unauthenticated attackers to modify and reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-ideaboxideaboxcreations
Product-powerpack_addons_for_elementorPowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-3233
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.65%
||
7 Day CHG~0.00%
Published-21 Sep, 2022 | 19:40
Updated-23 May, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb

Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6.

Action-Not Available
Vendor-IKUS Software
Product-rdiffwebikus060/rdiffweb
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8477
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.70%
||
7 Day CHG~0.00%
Published-10 Oct, 2024 | 02:06
Updated-15 Oct, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) <= 3.1.87 - Cross-Site Request Forgery

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-brevoneeraj_slit
Product-newsletter\,_smtp\,_email_marketing_and_subscribeNewsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6008
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.3||MEDIUM
EPSS-0.07% / 20.18%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 15:33
Updated-02 Aug, 2024 | 08:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

Action-Not Available
Vendor-userpropluginn/a
Product-userproUserPro - Community and User Profile WordPress Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-9282
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.22% / 44.18%
||
7 Day CHG~0.00%
Published-27 Sep, 2024 | 13:00
Updated-20 Aug, 2025 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bg5sbk MiniCMS page-edit.php cross-site request forgery

A vulnerability was found in bg5sbk MiniCMS 1.11. It has been classified as problematic. Affected is an unknown function of the file page-edit.php. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions confusing version and file name information. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-1234nbg5sbkbg5sbk
Product-minicmsMiniCMSminicms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6980
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 30.93%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 05:31
Updated-11 Jul, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This makes it possible for unauthenticated attackers to delete subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-veronalabsmostafas1990
Product-wp_smsWP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5945
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.16%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 12:31
Updated-05 Feb, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsive_video_gallery_with_lightbox_video_management_func() function. This makes it possible for unauthenticated attackers to delete videos hosted from the video slider via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-i13websolutionnik00726
Product-video_carousel_slider_with_lightboxvideo carousel slider with lightbox
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5902
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.88%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-27 Feb, 2025 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery (CSRF) in pkp/pkp-lib

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Action-Not Available
Vendor-sfupkp
Product-pkp_web_application_librarypkp/pkp-lib
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-8398
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Nav Archives <= 2.1.3 - Settings Update via CSRF

The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-philipwaltonUnknown
Product-simple_nav_archivesSimple Nav Archives
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-5900
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-3.5||LOW
EPSS-0.13% / 33.03%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-03 Dec, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery in pkp/pkp-lib

Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

Action-Not Available
Vendor-sfupkp
Product-pkp_web_application_librarypkp/pkp-lib
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • ...
  • 33
  • 34
  • 35
  • ...
  • 41
  • 42
  • Next
Details not found