Total
7618 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6857 | 1 Ngothang | 1 Wp Multitasking | 2025-04-22 | 4.3 Medium |
| The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack | ||||
| CVE-2024-6860 | 1 Ngothang | 1 Wp Multitasking | 2025-04-22 | 4.3 Medium |
| The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack | ||||
| CVE-2024-8243 | 1 Felixker | 1 Wordpress\/plugin Upgrade Time Out Plugin | 2025-04-22 | 6.3 Medium |
| The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-24837 | 2025-04-22 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; FG Joomla to WordPress: from n/a through 4.15.0. | ||||
| CVE-2024-23094 | 1 Flusity | 2 Cms, Flusity | 2025-04-22 | 8.8 High |
| Flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /cover/addons/info_media_gallery/action/edit_addon_post.php | ||||
| CVE-2025-3131 | 1 Drupal | 1 Eca\ | 2025-04-22 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal ECA: Event - Condition - Action allows Cross Site Request Forgery.This issue affects ECA: Event - Condition - Action: from 0.0.0 before 1.1.12, from 2.0.0 before 2.0.16, from 2.1.0 before 2.1.7, from 0.0.0 before 1.2.*. | ||||
| CVE-2024-23910 | 1 Elecom | 22 Wmc-x1800gst-b, Wmc-x1800gst-b Firmware, Wrc-1167gs2-b and 19 more | 2025-04-22 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in ELECOM wireless LAN routers and wireless LAN repeater allows a remote unauthenticated attacker to hijack the authentication of administrators and to perform unintended operations to the affected product. Note that WMC-X1800GST-B and WSC-X1800GS-B are also included in e-Mesh Starter Kit "WMC-2LX-B". | ||||
| CVE-2023-51696 | 1 Cleantalk | 1 Anti-spam | 2025-04-22 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in СleanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20. | ||||
| CVE-2022-3883 | 1 Stopbadbots Project | 1 Stopbadbots | 2025-04-22 | 6.5 Medium |
| The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | ||||
| CVE-2022-3882 | 1 Wp-memory Project | 1 Wp-memory | 2025-04-22 | 6.5 Medium |
| The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | ||||
| CVE-2022-41924 | 2 Microsoft, Tailscale | 2 Windows, Tailscale | 2025-04-22 | 9.6 Critical |
| A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue. | ||||
| CVE-2022-41925 | 1 Tailscale | 1 Tailscale | 2025-04-22 | 8.8 High |
| A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue. | ||||
| CVE-2024-0431 | 1 Fabrick | 1 Gestpay For Woocommerce | 2025-04-22 | 4.3 Medium |
| The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-23475 | 1 Daloradius | 1 Daloradius | 2025-04-22 | 8.8 High |
| daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy. | ||||
| CVE-2024-25930 | 1 Nuggethon | 1 Custom Order Status Manager For Woocommerce | 2025-04-22 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Nuggethon Custom Order Statuses for WooCommerce.This issue affects Custom Order Statuses for WooCommerce: from n/a through 1.5.2. | ||||
| CVE-2024-21752 | 1 Wp-dreams | 1 Ajax Search | 2025-04-22 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Ernest Marcinko Ajax Search Lite allows Reflected XSS.This issue affects Ajax Search Lite: from n/a through 4.11.4. | ||||
| CVE-2024-56311 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | 8.8 High |
| REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | ||||
| CVE-2024-56310 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | 8.8 High |
| REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | ||||
| CVE-2022-46059 | 1 Aerocms Project | 1 Aerocms | 2025-04-22 | 6.5 Medium |
| AeroCMS v0.0.1 is vulnerable to Cross Site Request Forgery (CSRF). | ||||
| CVE-2022-3999 | 1 Dpdgroup | 1 Woocommerce Shipping | 2025-04-22 | 8.1 High |
| The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. | ||||