Vulnerabilities (CVE)

Filtered by CWE-352
Total 3631 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1764 1 Wp-chgfontsize Project 1 Wp-chgfontsize 2022-06-21 3.5 LOW 5.4 MEDIUM
The WP-chgFontSize WordPress plugin through 1.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
CVE-2022-1763 1 Static Page Extended Project 1 Static Page Extended 2022-06-21 3.5 LOW 5.4 MEDIUM
Due to missing checks the Static Page eXtended WordPress plugin through 2.1 is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings
CVE-2022-1761 1 Peter\'s Collaboration E-mails Project 1 Peter\'s Collaboration E-mails 2022-06-21 4.3 MEDIUM 6.5 MEDIUM
The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.
CVE-2022-1900 1 Copify 1 Copify 2022-06-21 6.8 MEDIUM 8.8 HIGH
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2022-1594 1 Hc Custom Wp-admin Url Project 1 Hc Custom Wp-admin Url 2022-06-21 4.3 MEDIUM 4.3 MEDIUM
The HC Custom WP-Admin URL WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL
CVE-2022-1765 1 Hot Linked Image Cacher Project 1 Hot Linked Image Cacher 2022-06-21 6.8 MEDIUM 8.8 HIGH
The Hot Linked Image Cacher WordPress plugin through 1.16 is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks (due to copyright violations or licensing rules).
CVE-2022-1787 1 Sideblog Project 1 Sideblog 2022-06-21 3.5 LOW 5.4 MEDIUM
The Sideblog WordPress plugin through 6.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
CVE-2022-1781 1 Posttabs Project 1 Posttabs 2022-06-21 3.5 LOW 5.4 MEDIUM
The postTabs WordPress plugin through 2.10.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
CVE-2022-1780 1 Latex Project 1 Latex 2022-06-21 3.5 LOW 5.4 MEDIUM
The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
CVE-2022-1779 1 Auto Delete Posts Project 1 Auto Delete Posts 2022-06-21 5.8 MEDIUM 8.1 HIGH
The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once.
CVE-2022-1791 1 One Click Plugin Updater Project 1 One Click Plugin Updater 2022-06-21 5.8 MEDIUM 8.1 HIGH
The One Click Plugin Updater WordPress plugin through 2.4.14 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check.
CVE-2022-1790 1 New User Email Set Up Project 1 New User Email Set Up 2022-06-21 4.3 MEDIUM 6.5 MEDIUM
The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2022-1788 1 Change Uploaded File Permissions Project 1 Change Uploaded File Permissions 2022-06-21 4.3 MEDIUM 6.5 MEDIUM
Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this.
CVE-2022-1793 1 Private Files Project 1 Private Files 2022-06-21 4.3 MEDIUM 4.3 MEDIUM
The Private Files WordPress plugin through 0.40 is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public
CVE-2022-1792 1 Quick Subscribe Project 1 Quick Subscribe 2022-06-21 3.5 LOW 5.4 MEDIUM
The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them
CVE-2022-1895 2022-06-21 N/A N/A
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVE-2022-1818 2022-06-21 N/A N/A
The Multi-page Toolkit WordPress plugin through 2.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well
CVE-2022-1610 2022-06-21 N/A N/A
The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2022-1826 2022-06-21 N/A N/A
The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such action via a CSRF attack
CVE-2022-1827 2022-06-21 N/A N/A
The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack