Total
8685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56140 | 1 Astro | 1 Astro | 2025-11-25 | N/A | 5.9 MEDIUM |
| Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-55057 | 1 Maxum | 1 Rumpus | 2025-11-24 | N/A | 4.5 MEDIUM |
| Multiple CWE-352 Cross-Site Request Forgery (CSRF) | |||||
| CVE-2025-13177 | 1 Bdtask | 1 Saleserp | 2025-11-24 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in Bdtask/CodeCanyon SalesERP up to 20250728. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13179 | 1 Bdtask | 1 Wholesale | 2025-11-24 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. This issue affects some unknown processing. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13142 | 2025-11-21 | N/A | 4.3 MEDIUM | ||
| The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13134 | 2025-11-21 | N/A | 6.1 MEDIUM | ||
| The AuthorSure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the 'authorsure' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-62346 | 2025-11-21 | N/A | 6.8 MEDIUM | ||
| A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint. | |||||
| CVE-2025-63955 | 1 Phpgurukul | 1 Student Record System | 2025-11-20 | N/A | 7.5 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS). | |||||
| CVE-2025-12535 | 2025-11-19 | N/A | 5.3 MEDIUM | ||
| The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugin legitimately needs to support unauthenticated form submissions, it incorrectly uses generic REST nonces instead of form-specific nonces. This makes it possible for unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely solely on nonce verification without additional authentication checks, allowing them to trigger unauthorized actions such as the plugin's own post-submission hooks and potentially other plugins' REST endpoints. | |||||
| CVE-2025-63712 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-11-18 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection. | |||||
| CVE-2025-12404 | 2025-11-18 | N/A | 6.1 MEDIUM | ||
| The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12173 | 2025-11-18 | N/A | 4.3 MEDIUM | ||
| The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'wp-admin-microblog' page. This makes it possible for unauthenticated attackers to send messages on behalf of an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-9625 | 2025-11-18 | N/A | 4.3 MEDIUM | ||
| The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restrict_content function. This makes it possible for unauthenticated attackers to trigger CSS selector detection functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12827 | 2025-11-18 | N/A | 4.3 MEDIUM | ||
| The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12406 | 2025-11-18 | N/A | 6.1 MEDIUM | ||
| The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-63717 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-11-17 | N/A | 6.5 MEDIUM |
| The change password functionality at /pet_grooming/admin/change_pass.php in SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. The application does not implement adequate anti-CSRF tokens or same-site cookie restrictions, allowing attackers to trick authenticated users into unknowingly changing their passwords. | |||||
| CVE-2025-63716 | 1 Rems | 1 Leads Manager Tool | 2025-11-17 | N/A | 6.5 MEDIUM |
| The SourceCodester Leads Manager Tool v1.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized state-changing operations. The application lacks CSRF protection mechanisms such as anti-CSRF tokens or same-origin verification for critical endpoints. | |||||
| CVE-2025-63710 | 1 Pijey | 1 Simple Public Chat Room | 2025-11-17 | N/A | 6.5 MEDIUM |
| The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room. | |||||
| CVE-2025-63711 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-11-17 | N/A | 7.1 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint (e.g., superadmin_user_delete.php) accepts POST requests containing a user_id parameter and does not enforce request origin or anti-CSRF tokens. Because the endpoint lacks proper authentication/authorization checks and CSRF protections, a remote attacker can craft a malicious page that triggers deletion when visited by an authenticated admin, resulting in arbitrary removal of user accounts. | |||||
| CVE-2025-13119 | 1 Fabian | 1 Simple E-banking System | 2025-11-17 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in Fabian Ros/SourceCodester Simple E-Banking System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been published and may be used. | |||||