Total
5658 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-38457 | 1 Xenforo | 1 Xenforo | 2024-07-26 | N/A | 8.8 HIGH |
Xenforo before 2.2.16 allows CSRF. | |||||
CVE-2024-7106 | 2024-07-26 | 5.0 MEDIUM | 4.3 MEDIUM | ||
A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-6244 | 1 Projectzealous | 1 Pz Frontend Manager | 2024-07-25 | N/A | 8.8 HIGH |
The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | |||||
CVE-2024-6271 | 1 Community Events Project | 1 Community Events | 2024-07-25 | N/A | 5.4 MEDIUM |
The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack | |||||
CVE-2023-6968 | 1 Themoneytizer | 1 The Moneytizer | 2024-07-25 | N/A | 5.4 MEDIUM |
The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.5.20. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-3246 | 2024-07-24 | N/A | 6.1 MEDIUM | ||
The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-7065 | 2024-07-24 | 5.0 MEDIUM | 4.3 MEDIUM | ||
A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272346 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-6751 | 2024-07-24 | N/A | 6.3 MEDIUM | ||
The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options. | |||||
CVE-2023-6251 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 3.5 LOW |
Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users. | |||||
CVE-2022-48320 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 4.3 MEDIUM |
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages. | |||||
CVE-2024-40034 | 1 Idccms Project | 1 Idccms | 2024-07-22 | N/A | 8.8 HIGH |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userLevel_deal.php?mudi=del | |||||
CVE-2024-40039 | 1 Idccms Project | 1 Idccms | 2024-07-22 | N/A | 8.8 HIGH |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userGroup_deal.php?mudi=del | |||||
CVE-2024-40037 | 1 Idccms Project | 1 Idccms | 2024-07-22 | N/A | 8.8 HIGH |
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userScore_deal.php?mudi=del | |||||
CVE-2024-5804 | 2024-07-22 | N/A | 4.3 MEDIUM | ||
The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
CVE-2024-35684 | 1 10up | 1 Elasticpress | 2024-07-18 | N/A | 4.3 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in 10up ElasticPress.This issue affects ElasticPress: from n/a through 5.1.1. | |||||
CVE-2024-35689 | 1 Analytify | 1 Analytify - Google Analytics Dashboard | 2024-07-18 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in Analytify.This issue affects Analytify: from n/a through 5.2.3. | |||||
CVE-2024-34008 | 1 Moodle | 1 Moodle | 2024-07-18 | N/A | 8.8 HIGH |
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. | |||||
CVE-2024-5003 | 1 Jankarres | 1 Wp Stacker | 2024-07-18 | N/A | 5.4 MEDIUM |
The WP Stacker WordPress plugin through 1.8.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
CVE-2024-39678 | 2024-07-18 | N/A | 4.3 MEDIUM | ||
Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2024-39679 | 2024-07-18 | N/A | 4.3 MEDIUM | ||
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |