Export limit exceeded: 10351 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10351 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1382 | 1 Lordlinus | 1 Contact Us | 2026-01-09 | 6.1 Medium |
| The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-3643 | 2 Mndpsingh287, Newsletter Popup Project | 2 Newsletter Popup, Newsletter Popup | 2026-01-09 | 8.8 High |
| The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack | ||||
| CVE-2024-3406 | 1 Goprayer | 1 Wp Prayer | 2026-01-09 | 8.8 High |
| The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-12774 | 1 Pulseextensions | 1 Altra Side Menu | 2026-01-09 | 6.5 Medium |
| The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack | ||||
| CVE-2023-6503 | 1 Paulgriffinpetty | 1 Wp Plugin Lister | 2026-01-09 | 5.4 Medium |
| The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2021-24870 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2026-01-09 | 6.1 Medium |
| The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload | ||||
| CVE-2023-6845 | 1 Theresehansen | 1 Commenttweets | 2026-01-09 | 8.8 High |
| The CommentTweets WordPress plugin through 0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | ||||
| CVE-2024-27783 | 1 Fortinet | 1 Fortiaiops | 2026-01-09 | 7.2 High |
| Multiple cross-site request forgery (CSRF) weaknesses [CWE-352] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via tricking the victim to execute malicious GET requests. | ||||
| CVE-2023-28688 | 2 Themehunk, Wordpress | 2 Variation Swatches, Wordpress | 2026-01-09 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | ||||
| CVE-2024-47255 | 1 2n | 1 Access Commander | 2026-01-09 | 4.7 Medium |
| In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions. | ||||
| CVE-2024-23554 | 1 Hcltech | 1 Bigfix Platform | 2026-01-08 | 5.7 Medium |
| Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). | ||||
| CVE-2024-29888 | 1 Saleor | 1 Saleor | 2026-01-08 | 4.2 Medium |
| Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`. | ||||
| CVE-2025-14414 | 1 Sodapdf | 1 Soda Pdf Desktop | 2026-01-07 | N/A |
| Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496. | ||||
| CVE-2024-31205 | 1 Saleor | 1 Saleor | 2026-01-07 | 4.2 Medium |
| Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`. | ||||
| CVE-2024-34809 | 2 Extendthemes, Wordpress | 2 Empowerwp, Wordpress | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes EmpowerWP.This issue affects EmpowerWP: from n/a through 1.0.21. | ||||
| CVE-2022-47443 | 1 Danielpowney | 1 Multi Rating | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions. | ||||
| CVE-2023-50931 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 2.0.1 for Bitbucket. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Bitbucket, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2023-50932 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 4.0.2 for Confluence. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Confluence, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2023-28802 | 1 Zscaler | 1 Client Connector | 2026-01-06 | 4.9 Medium |
| An Improper Validation of Integrity Check Value in Zscaler Client Connector on Windows allows an authenticated user to disable ZIA/ZPA by interrupting the service restart from Zscaler Diagnostics. This issue affects Client Connector: before 4.2.0.149. | ||||
| CVE-2024-6719 | 2 Webgarh, Wordpress | 2 Offload Videos, Wordpress | 2026-01-05 | 8.1 High |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | ||||