Total
8691 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13338 | 1 Cm-wp | 1 Clearfy | 2025-07-08 | N/A | 5.3 MEDIUM |
| The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on the wclearfy_cache_delete functionality . This makes it possible for unauthenticated attackers to clear the cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-53483 | 2025-07-08 | N/A | 8.8 HIGH | ||
| ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-31828 | 1 Easyappointments | 1 Easy\!appointments | 2025-07-08 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments allows Cross Site Request Forgery. This issue affects Easy!Appointments: from n/a through 1.4.2. | |||||
| CVE-2025-0669 | 1 Universityofcalifornia | 1 Boinc Server | 2025-07-08 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in BOINC Server allows Cross Site Request Forgery.This issue affects BOINC Server: before 1.4.3. | |||||
| CVE-2025-23972 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Brian S. Reed Contact Form 7 reCAPTCHA allows Cross Site Request Forgery. This issue affects Contact Form 7 reCAPTCHA: from n/a through 1.2.0. | |||||
| CVE-2025-6041 | 2025-07-08 | N/A | 6.1 MEDIUM | ||
| The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-53568 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station allows Cross Site Request Forgery. This issue affects Radio Station: from n/a through 2.5.12. | |||||
| CVE-2025-5933 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-53569 | 2025-07-08 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Trust Payments Trust Payments Gateway for WooCommerce (JavaScript Library) allows Cross Site Request Forgery. This issue affects Trust Payments Gateway for WooCommerce (JavaScript Library): from n/a through 1.3.6. | |||||
| CVE-2025-53540 | 2025-07-08 | N/A | N/A | ||
| arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1. | |||||
| CVE-2025-5937 | 1 Videowhisper | 1 Micropayments | 2025-07-08 | N/A | 4.3 MEDIUM |
| The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-6459 | 1 Scripteo | 1 Ads Pro | 2025-07-08 | N/A | 8.8 HIGH |
| The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-26206 | 1 Selldone | 1 Storefront | 2025-07-07 | N/A | 9.0 CRITICAL |
| Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component | |||||
| CVE-2025-25928 | 1 Openmrs | 1 Openmrs | 2025-07-07 | N/A | 8.0 HIGH |
| A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a low-privileged account to an administrative role by leveraging the CSRF vulnerability at the /admin/users/user.form endpoint. | |||||
| CVE-2024-5285 | 1 Tipsandtricks-hq | 1 Wp Affiliate Platform | 2025-07-07 | N/A | 5.5 MEDIUM |
| The wp-affiliate-platform WordPress plugin before 6.5.2 does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack | |||||
| CVE-2024-4839 | 1 Lollms | 1 Lollms-webui | 2025-07-07 | N/A | 3.3 LOW |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent. | |||||
| CVE-2025-5932 | 1 Coolrunner | 1 Homerunner | 2025-07-07 | N/A | 4.3 MEDIUM |
| The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-5936 | 1 Vr Calendar Project | 1 Vr Calendar | 2025-07-07 | N/A | 4.3 MEDIUM |
| The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-30154 | 1 Hcltech | 1 Hcl Sx | 2025-07-03 | N/A | 5.3 MEDIUM |
| HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||||
| CVE-2025-34050 | 2025-07-03 | N/A | N/A | ||
| A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction. | |||||