Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-8505

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-03 Aug, 2025 | 08:02
Updated At-04 Aug, 2025 | 17:40
Rejected At-
Credits

495300897 wx-shop cross-site request forgery

A vulnerability has been found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:03 Aug, 2025 | 08:02
Updated At:04 Aug, 2025 | 17:40
Rejected At:
▼CVE Numbering Authority (CNA)
495300897 wx-shop cross-site request forgery

A vulnerability has been found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

Affected Products
Vendor
495300897
Product
wx-shop
Versions
Affected
  • de1b66331368695779cfc6e4d11a64caddf8716e
Problem Types
TypeCWE IDDescription
CWECWE-352Cross-Site Request Forgery
CWECWE-862Missing Authorization
Type: CWE
CWE ID: CWE-352
Description: Cross-Site Request Forgery
Type: CWE
CWE ID: CWE-862
Description: Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3.04.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2.05.0N/A
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Version: 3.0
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Version: 2.0
Base score: 5.0
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
HJAQiang (VulDB User)
Timeline
EventDate
Advisory disclosed2025-08-02 00:00:00
VulDB entry created2025-08-02 02:00:00
VulDB entry last update2025-08-02 09:11:54
Event: Advisory disclosed
Date: 2025-08-02 00:00:00
Event: VulDB entry created
Date: 2025-08-02 02:00:00
Event: VulDB entry last update
Date: 2025-08-02 09:11:54
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.318604
vdb-entry
https://vuldb.com/?ctiid.318604
signature
permissions-required
https://vuldb.com/?submit.627322
third-party-advisory
https://github.com/Bemcliu/cve-reports/blob/main/cve-08-wx-shop-CSRF/readme.md
exploit
Hyperlink: https://vuldb.com/?id.318604
Resource:
vdb-entry
Hyperlink: https://vuldb.com/?ctiid.318604
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.627322
Resource:
third-party-advisory
Hyperlink: https://github.com/Bemcliu/cve-reports/blob/main/cve-08-wx-shop-CSRF/readme.md
Resource:
exploit
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:03 Aug, 2025 | 08:15
Updated At:04 Aug, 2025 | 15:06

A vulnerability has been found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Secondary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-352Primarycna@vuldb.com
CWE-862Primarycna@vuldb.com
CWE ID: CWE-352
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-862
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/Bemcliu/cve-reports/blob/main/cve-08-wx-shop-CSRF/readme.mdcna@vuldb.com
N/A
https://vuldb.com/?ctiid.318604cna@vuldb.com
N/A
https://vuldb.com/?id.318604cna@vuldb.com
N/A
https://vuldb.com/?submit.627322cna@vuldb.com
N/A
Hyperlink: https://github.com/Bemcliu/cve-reports/blob/main/cve-08-wx-shop-CSRF/readme.md
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?ctiid.318604
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?id.318604
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?submit.627322
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1873Records found
CVE-2025-52767
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.22%
||
7 Day CHG~0.00%
Published-14 Aug, 2025 | 18:22
Updated-15 Aug, 2025 | 13:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress NetInsight Analytics Implementation Plugin <= 1.0.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in lisensee NetInsight Analytics Implementation Plugin allows Cross Site Request Forgery. This issue affects NetInsight Analytics Implementation Plugin: from n/a through 1.0.3.

Action-Not Available
Vendor-lisensee
Product-NetInsight Analytics Implementation Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-5410
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 4.57%
||
7 Day CHG~0.00%
Published-01 Jun, 2025 | 22:31
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mist Community Edition middleware.py session_start_response cross-site request forgery

A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is identified as db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-Mist
Product-Community Edition
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2025-54039
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.67%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-16 Jul, 2025 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Animator plugin <= 3.0.16 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Animator allows Cross Site Request Forgery. This issue affects Animator: from n/a through 3.0.16.

Action-Not Available
Vendor-Toast Plugins
Product-Animator
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-53269
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.67%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress My Wp Brand plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in imw3 My Wp Brand allows Cross Site Request Forgery. This issue affects My Wp Brand: from n/a through 1.1.3.

Action-Not Available
Vendor-imw3
Product-My Wp Brand
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2016-11055
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 31.58%
||
7 Day CHG~0.00%
Published-28 Apr, 2020 | 15:59
Updated-06 Aug, 2024 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by CSRF. This affects CM400 before 2017-01-11, CM600 before 2017-01-11, D1500 before 2017-01-11, D500 before 2017-01-11, DST6501 before 2017-01-11, JNR1010v1 before 2017-01-11, JWNR2000Tv3 before 2017-01-11, JWNR2010v3 before 2017-01-11, PLW1000 before 2017-01-11, PLW1010 before 2017-01-11, WNR500 before 2017-01-11, WNR612v3 before 2017-01-11, N450 before 2017-01-11, and CG3000Dv2 before 2017-01-11.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-jnr1010_firmwared500cm400n450_cg3000d_firmwaredst6501_firmwareplw1000_firmwarecm400_firmwaren450_cg3000dwnr612_firmwareplw1000jwnr2010cm600_firmwared500_firmwared1500jwnr2000t_firmwarejwnr2000tdst6501d1500_firmwareplw1010cm600jnr1010wnr500wnr500_firmwarewnr612plw1010_firmwarejwnr2010_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-53261
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.67%
||
7 Day CHG~0.00%
Published-27 Jun, 2025 | 13:21
Updated-30 Jun, 2025 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP YouTube Live plugin <= 1.10.0 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0.

Action-Not Available
Vendor-macbookandrew
Product-WP YouTube Live
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-54036
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.67%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-16 Jul, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Webba Booking plugin <= 5.1.20 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20.

Action-Not Available
Vendor-Webba Appointment Booking
Product-Webba Booking
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49856
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-18 Jun, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Responsive Plus plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in CyberChimps Responsive Plus allows Cross Site Request Forgery. This issue affects Responsive Plus: from n/a through 3.2.2.

Action-Not Available
Vendor-CyberChimps Inc.
Product-Responsive Plus
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49967
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Live Sports Streamthunder plugin <= 2.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in marcusjansen Live Sports Streamthunder allows Cross Site Request Forgery. This issue affects Live Sports Streamthunder: from n/a through 2.1.

Action-Not Available
Vendor-marcusjansen
Product-Live Sports Streamthunder
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-5132
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 13.94%
||
7 Day CHG~0.00%
Published-24 May, 2025 | 21:00
Updated-16 Jun, 2025 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tmall Demo logout cross-site request forgery

A vulnerability was found in Tmall Demo up to 20250505. It has been rated as problematic. This issue affects some unknown processing of the file tmall/admin/account/logout. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-project_teamTmall
Product-tmall_demoDemo
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2025-49975
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JobWP plugin <= 2.4.0 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Hossni Mubarak JobWP allows Cross Site Request Forgery. This issue affects JobWP: from n/a through 2.4.0.

Action-Not Available
Vendor-Hossni Mubarak
Product-JobWP
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49865
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 15:01
Updated-20 Jun, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Advanced Settings plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.0.1.

Action-Not Available
Vendor-Helmut Wandl
Product-Advanced Settings
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-20580
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.43%
||
7 Day CHG~0.00%
Published-29 Jun, 2021 | 15:50
Updated-17 Sep, 2024 | 03:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Planning Analytics 2.0 could be vulnerable to cross-site request forgery (CSRF) which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 198241.

Action-Not Available
Vendor-IBM Corporation
Product-planning_analyticsPlanning Analytics
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49972
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TM Replace Howdy plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2.

Action-Not Available
Vendor-David Wood
Product-TM Replace Howdy
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-49968
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.46%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:04
Updated-23 Jun, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress XML Travel Portal Widget plugin <= 2.0 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Oganro XML Travel Portal Widget allows Cross Site Request Forgery. This issue affects XML Travel Portal Widget: from n/a through 2.0.

Action-Not Available
Vendor-Oganro
Product-XML Travel Portal Widget
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-5033
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 10.19%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 17:31
Updated-20 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XiaoBingby TeaCMS addUser cross-site request forgery

A vulnerability classified as problematic was found in XiaoBingby TeaCMS 2.0.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/me/teacms/controller/admin/UserManageController/addUser. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-teacms_projectXiaoBingby
Product-teacmsTeaCMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2024-1909
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.72%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory function. This makes it possible for unauthenticated attackers to rename categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13710
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.71%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 08:22
Updated-31 Mar, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Estatebud – Properties & Listings <= 5.5.0 - Cross-Site Request Forgery to Settings Update

The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-estatebud
Product-Estatebud – Properties & Listings
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1504
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.12% / 32.39%
||
7 Day CHG~0.00%
Published-02 Apr, 2024 | 05:32
Updated-15 Aug, 2025 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link.

Action-Not Available
Vendor-secupresssecupress
Product-secupressSecuPress Free — WordPress Security
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13768
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.83%
||
7 Day CHG+0.01%
Published-22 Mar, 2025 | 06:41
Updated-24 Mar, 2025 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Font Assignment Deletion

The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_assign_fonts_tab() function. This makes it possible for unauthenticated attackers to delete font assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-ashikcse
Product-CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13511
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.07%
||
7 Day CHG~0.00%
Published-23 Jan, 2025 | 09:21
Updated-05 Feb, 2025 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset

The Variation Swatches for WooCommerce plugin, in all versions starting at 1.0.8 up until 1.3.2, contains a vulnerability due to improper nonce verification in its settings reset functionality. The issue exists in the settings_init() function, which processes a reset action based on specific query parameters in the URL. The related delete_settings() function performs a faulty nonce validation check, making the reset operation insecure and susceptible to unauthorized access.

Action-Not Available
Vendor-variation_swatches_for_woocommerce_projectthemehunk
Product-variation_swatches_for_woocommerceVariation Swatches for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1912
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.72%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers to update the folder position of categories as well as update the metadata of other taxonomies via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13580
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 6.06%
||
7 Day CHG~0.00%
Published-11 Mar, 2025 | 06:00
Updated-29 Aug, 2025 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XV Random Quotes <= 1.40 - Settings Reset via CSRF

The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

Action-Not Available
Vendor-xavivarsUnknown
Product-xv_random_quotesXV Random Quotes
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-1489
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.43%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:27
Updated-03 Apr, 2025 | 13:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. This is due to missing or incorrect nonce validation on the processBulkAction function. This makes it possible for unauthenticated attackers to delete pages and posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-cozyvisioncozyvision1
Product-sms_alert_order_notificationsSMS Alert Order Notifications – WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13709
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.20%
||
7 Day CHG~0.00%
Published-25 Jan, 2025 | 03:21
Updated-27 Jan, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linear <= 2.8.1 - Cross-Site Request Forgery to Cache Reset

The Linear plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on the 'linear-debug'. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-linearoy
Product-Linear
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13683
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.69%
||
7 Day CHG~0.00%
Published-24 Jan, 2025 | 07:04
Updated-12 Feb, 2025 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Automate Hub Free by Sperse.IO <= 1.7.0 - Cross-Site Request Forgery to Activation Status Update

The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. This is due to missing or incorrect nonce validation on the 'automate_hub' page. This makes it possible for unauthenticated attackers to update an activation status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-spersesperse
Product-automate_hubAutomate Hub Free by Sperse.IO
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1592
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 19.68%
||
7 Day CHG~0.00%
Published-02 Mar, 2024 | 06:46
Updated-01 Aug, 2025 | 02:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce validation on the process_delete function in class-DNSMPD.php. This makes it possible for unauthenticated attackers to delete GDPR data requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-really-simple-pluginsrogierlankhorst
Product-complianzComplianz – GDPR/CCPA Cookie Consent
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13555
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 04:21
Updated-24 Feb, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Cross-Site Request Forgery to Backup Process Cancellation

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes it possible for unauthenticated attackers to cancel a triggered backup via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-1clickmigration1clickmigration
Product-1_click_migration1 Click WordPress Migration Plugin – 100% FREE for a limited time
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1446
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.82%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 06:50
Updated-07 Feb, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NextScripts: Social Networks Auto-Poster <= 4.4.3 - Cross-Site Request Forgery to Arbitrary Post Deletion

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.3. This is due to missing or incorrect nonce validation on the nxssnap-reposter page. This makes it possible for unauthenticated attackers to delete arbitrary posts or pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-nextscriptsnextscriptsnextscripts
Product-social_networks_auto_posterNextScripts: Social Networks Auto-Postersocial_networks_auto_poster
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1777
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 21.30%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 06:48
Updated-16 Jan, 2025 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-zestardzestardtechnologies
Product-admin_side_data_storage_for_contact_form_7Admin side data storage for Contact Form 7
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13795
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 07:28
Updated-21 Feb, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ecwid by Lightspeed Ecommerce Shopping Cart <= 6.12.27 - Cross-Site Request Forgery to Send Deactivation Message

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-lightspeedhqecwid
Product-ecwid_ecommerce_shopping_cartEcwid by Lightspeed Ecommerce Shopping Cart
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13718
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 08:21
Updated-21 Feb, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later <= 1.2.26 - Cross-Site Request Forgery to Wishlist Creation/Modification

The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wpdeskwpdesk
Product-flexible_wishlist_for_woocommerceFlexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13494
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.11%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 07:30
Updated-28 Feb, 2025 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details

The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-iptanusnickboss
Product-wordpress_file_uploadWordPress File Upload
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1360
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.09% / 26.92%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 11:03
Updated-05 Feb, 2025 | 21:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-colibriwpextendthemes
Product-colibriColibri WP
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1760
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 33.82%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 05:33
Updated-04 Feb, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. This is due to missing or incorrect nonce validation on the ssa_factory_reset() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-N Squared Digital, LLC
Product-simply_schedule_appointmentsAppointment Booking Calendar — Simply Schedule Appointments Booking Pluginsimply_schedule_appointments
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13560
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.88%
||
7 Day CHG~0.00%
Published-26 Feb, 2025 | 08:21
Updated-26 Feb, 2025 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site Request Forgery to Arbitrary Post Deletion

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-scottpaterson
Product-Subscriptions & Memberships for PayPal
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1642
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 28.35%
||
7 Day CHG~0.00%
Published-13 Mar, 2024 | 15:26
Updated-03 Apr, 2025 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mainwpmainwp
Product-mainwp_dashboardMainWP Dashboard – WordPress Manager for Multiple Websites Maintenance
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1910
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.72%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory function. This makes it possible for unauthenticated attackers to clear categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13682
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.60%
||
7 Day CHG~0.00%
Published-04 Mar, 2025 | 08:23
Updated-04 Mar, 2025 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 - Cross-Site Request Forgery

The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wpswingswpswings
Product-wallet_system_for_woocommerceWallet System for WooCommerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1906
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.72%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory function. This makes it possible for unauthenticated attackers to add categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-39425
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.03% / 5.55%
||
7 Day CHG~0.00%
Published-17 Apr, 2025 | 15:17
Updated-17 Apr, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Style Manager plugin <= 2.2.7 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in pixelgrade Style Manager allows Cross Site Request Forgery. This issue affects Style Manager: from n/a through 2.2.7.

Action-Not Available
Vendor-pixelgrade
Product-Style Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1778
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 39.23%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 06:48
Updated-16 Jan, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.

Action-Not Available
Vendor-zestardzestardtechnologies
Product-admin_side_data_storage_for_contact_form_7Admin side data storage for Contact Form 7
CWE ID-CWE-862
Missing Authorization
CVE-2024-13647
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 04:21
Updated-21 Mar, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
School Management System – SakolaWP <= 1.0.8 - Cross-Site Request Forgery to Exam Setting Manipulation

The School Management System – SakolaWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the 'save_exam_setting' and 'delete_exam_setting' actions. This makes it possible for unauthenticated attackers to update exam settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-themesawesomethemesawesome
Product-sakolawpSchool Management System – SakolaWP
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1503
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 35.41%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 23:33
Updated-15 Jan, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.

Action-Not Available
Vendor-Themeum
Product-tutor_lmsTutor LMS – eLearning and online course solution
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1719
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.32%
||
7 Day CHG~0.00%
Published-28 Feb, 2024 | 09:33
Updated-21 Mar, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-wppluginscottpaterson
Product-paypal_\&_stripe_add-onContact Form 7 – PayPal & Stripe Add-onEasy PayPal & Stripe Buy Now Button
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13883
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 0.22%
||
7 Day CHG~0.00%
Published-21 Feb, 2025 | 03:21
Updated-25 Feb, 2025 | 03:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPUpper Share Buttons <= 3.51 - Cross-Site Request Forgery to Custom CSS Update

The WPUpper Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.51. This is due to missing or incorrect nonce validation on the 'save_custom_css_request' function. This makes it possible for unauthenticated attackers to inject custom CSS to modify a site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-victorfreitasvictorfreitas
Product-wpupper_share_buttonsWPUpper Share Buttons
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1907
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.10% / 27.72%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 11:05
Updated-07 Jan, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory function. This makes it possible for unauthenticated attackers to delete categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-frenifyfrenify
Product-categorifyCategorify – WordPress Media Library Category & File Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13405
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.01% / 1.70%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 07:32
Updated-19 Feb, 2025 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block

The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation on the 'awp_ip_deny' page. This makes it possible for unauthenticated attackers to block IP addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-apptivo
Product-Apptivo Business Site CRM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12750
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 3.83%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:06
Updated-09 Jun, 2025 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Competition Form <= 2.0 - Competition Deletion via CSRF

The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-raiserwebUnknown
Product-competition_formCompetition Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-1335
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.43%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 18:56
Updated-31 Dec, 2024 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.13. This is due to missing or incorrect nonce validation on the disableOptimization function. This makes it possible for unauthenticated attackers to disable the image optimization setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-imagerecycleimagerecycle
Product-imagerecycle_pdf_\&_image_compressionImageRecycle pdf & image compression
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • ...
  • 6
  • 7
  • 8
  • ...
  • 37
  • 38
  • Next
Details not found