Total
8623 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52479 | 1 Astoundify | 1 Jobify | 2025-02-10 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Ben Marshall Jobify - Job Board WordPress Theme allows Cross Site Request Forgery.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3. | ||||
| CVE-2023-29008 | 1 Svelte | 1 Sveltekit | 2025-02-10 | 8.8 High |
| The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn't set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser. SvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner. | ||||
| CVE-2023-26845 | 1 Opencats | 1 Opencats | 2025-02-10 | 4.3 Medium |
| A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors. | ||||
| CVE-2024-39678 | 2 Boxystudio, Xjsv | 2 Cooked, Cooked | 2025-02-10 | 4.3 Medium |
| Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-39679 | 2 Boxystudio, Xjsv | 2 Cooked, Cooked | 2025-02-10 | 4.3 Medium |
| Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-39680 | 1 Boxystudio | 1 Cooked | 2025-02-10 | 5.4 Medium |
| Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-39681 | 1 Boxystudio | 1 Cooked | 2025-02-10 | 5.4 Medium |
| Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-0432 | 1 Fabrick | 1 Gestpay For Woocommerce | 2025-02-10 | 4.3 Medium |
| The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-0433 | 1 Fabrick | 1 Gestpay For Woocommerce | 2025-02-10 | 4.3 Medium |
| The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default_card' function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-5097 | 1 Argie | 1 Simple Inventory System | 2025-02-10 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in SourceCodester Simple Inventory System 1.0. Affected is an unknown function of the file /tableedit.php#page=editprice. The manipulation of the argument itemnumber leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-265080. | ||||
| CVE-2024-54355 | 1 Wpmailster | 1 Wp Mailster | 2025-02-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in brandtoss WP Mailster allows Cross Site Request Forgery.This issue affects WP Mailster: from n/a through 1.8.17.0. | ||||
| CVE-2021-4096 | 1 Radykal | 1 Fancy Product Designer | 2025-02-07 | 8.8 High |
| The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5. | ||||
| CVE-2022-0707 | 1 Awesomemotive | 1 Easy Digital Downloads | 2025-02-07 | 4.3 Medium |
| The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack | ||||
| CVE-2024-24872 | 1 Themify | 1 Builder | 2025-02-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5. | ||||
| CVE-2023-30529 | 1 Jenkins | 1 Lucene-search | 2025-02-07 | 4.3 Medium |
| Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database. | ||||
| CVE-2024-1446 | 1 Nextscripts | 1 Social Networks Auto Poster | 2025-02-07 | 5.4 Medium |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.3. This is due to missing or incorrect nonce validation on the nxssnap-reposter page. This makes it possible for unauthenticated attackers to delete arbitrary posts or pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-30525 | 1 Jenkins | 1 Report Portal | 2025-02-07 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Report Portal Plugin 0.5 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication. | ||||
| CVE-2025-25074 | 2025-02-07 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Nirmal Kumar Ram WP Social Stream allows Stored XSS. This issue affects WP Social Stream: from n/a through 1.1. | ||||
| CVE-2025-25071 | 2025-02-07 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in topplugins Vignette Ads allows Stored XSS. This issue affects Vignette Ads: from n/a through 0.2. | ||||
| CVE-2025-25075 | 2025-02-07 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Show notice or message on admin area allows Stored XSS. This issue affects Show notice or message on admin area: from n/a through 2.0. | ||||