Total
8698 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-3520 | 1 Cmsphp Project | 1 Cmsphp | 2025-04-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in the Your_account module in CMSphp 0.21 allows remote attackers to hijack the authentication of administrators for requests that change an administrator password via the pseudo, pwd, and uid parameters in an admin_info_user_verif action. | |||||
| CVE-2007-4544 | 1 Wordpress | 1 Wordpress Mu | 2025-04-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field). | |||||
| CVE-2008-0271 | 1 Drupal | 1 Bueditor | 2025-04-09 | 4.3 MEDIUM | N/A |
| The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces. | |||||
| CVE-2008-0266 | 1 Eticket | 1 Eticket | 2025-04-09 | 2.6 LOW | N/A |
| Cross-site request forgery (CSRF) vulnerability in admin.php in eTicket 1.5.5.2 allows remote attackers to change the administrative password and possibly perform other administrative tasks. NOTE: either the old password must be known, or the attacker must leverage a separate SQL injection vulnerability. | |||||
| CVE-2007-5594 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-04-09 | 4.3 MEDIUM | N/A |
| Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. | |||||
| CVE-2008-3925 | 1 Hans Oesterholt | 1 Cmme | 2025-04-09 | 4.3 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in admin.php in Content Management Made Easy (CMME) 1.12 allows remote attackers to trigger the logout of an administrative user via a logout action. | |||||
| CVE-2009-0468 | 1 Armorlogic | 1 Profense Web Application Firewall | 2025-04-09 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown the server, (2) send ping packets, (3) enable network services, (4) configure a proxy server, and (5) modify other settings via parameters in the query string. | |||||
| CVE-2009-0969 | 1 Phpfox | 1 Phpfox | 2025-04-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in account/settings/account/index.php in phpFoX 1.6.21 allows remote attackers to hijack the authentication of administrators for requests that change the email address via the act[update] action. | |||||
| CVE-2023-7203 | 1 Rednao | 1 Smart Forms | 2025-04-08 | N/A | 6.1 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries. | |||||
| CVE-2024-1306 | 1 Rednao | 1 Smart Forms | 2025-04-08 | N/A | 5.4 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.94 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk. | |||||
| CVE-2025-3064 | 2025-04-08 | N/A | 8.8 HIGH | ||
| The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances. | |||||
| CVE-2024-27474 | 1 Leantime | 1 Leantime | 2025-04-08 | N/A | 8.8 HIGH |
| Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators. | |||||
| CVE-2024-22721 | 1 Formtools | 1 Form Tools | 2025-04-08 | N/A | 6.3 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in Form Tools 3.1.1 allows attackers to manipulate sensitive user data via crafted link. | |||||
| CVE-2024-25572 | 1 Ninjaforms | 1 Ninja Forms | 2025-04-08 | N/A | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability exists in Ninja Forms prior to 3.4.31. If a website administrator views a malicious page while logging in, unintended operations may be performed. | |||||
| CVE-2023-22852 | 1 Tiki | 1 Tiki | 2025-04-07 | N/A | 6.5 MEDIUM |
| Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. | |||||
| CVE-2022-43719 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 8.8 HIGH |
| Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2024-9311 | 1 Hliu | 1 Large Language And Vision Assistant | 2025-04-07 | N/A | 6.1 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim. | |||||
| CVE-2024-2322 | 1 Cartflows | 1 Woocommerce Cart Abandonment Recovery | 2025-04-07 | N/A | 6.8 MEDIUM |
| The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2.27 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks. | |||||
| CVE-2025-30908 | 2025-04-07 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Shamalli Web Directory Free allows Stored XSS. This issue affects Web Directory Free: from n/a through 1.7.6. | |||||
| CVE-2025-32264 | 2025-04-07 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Saiful Islam UltraAddons Elementor Lite allows Cross Site Request Forgery. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0. | |||||