Monthly
Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to perform unauthorized actions via the evaluateCode function in the Mineflayer HTTP API component. The vulnerability requires user interaction (UI:R) and has limited integrity impact, but publicly available exploit code exists and the vendor has not yet responded to early notification.
Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to delete WooCommerce taxonomy terms via a malicious link that tricks site administrators or shop managers into performing an action. The vulnerability stems from missing nonce validation on the woobe_delete_tax_term() function, enabling integrity compromise with low CVSS impact (4.3) but requiring user interaction.
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre theme versions up to 2.5.4 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries a high integrity impact (CVSS 6.5). Despite a high CVSS score, the extremely low EPSS score (0.01%) suggests minimal real-world exploitation probability at time of analysis.
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to perform unauthorized actions via the evaluateCode function in the Mineflayer HTTP API component. The vulnerability requires user interaction (UI:R) and has limited integrity impact, but publicly available exploit code exists and the vendor has not yet responded to early notification.
Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to delete WooCommerce taxonomy terms via a malicious link that tricks site administrators or shop managers into performing an action. The vulnerability stems from missing nonce validation on the woobe_delete_tax_term() function, enabling integrity compromise with low CVSS impact (4.3) but requiring user interaction.
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre theme versions up to 2.5.4 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries a high integrity impact (CVSS 6.5). Despite a high CVSS score, the extremely low EPSS score (0.01%) suggests minimal real-world exploitation probability at time of analysis.
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.