Skip to main content

CSRF

8445 CVEs technique

Monthly

CVE-2026-22800 LOW PATCH Monitor

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. [CVSS 2.4 LOW]

CSRF Pilos
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-22794 CRITICAL POC PATCH Act Now

Appsmith before 1.93 allows attackers to control the Origin header value used as the base URL in password reset and email verification links. Attackers can redirect authentication tokens to their domain, enabling account takeover. PoC available, patch available.

CSRF Appsmith
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2021-41074 MEDIUM This Month

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [CVSS 5.4 MEDIUM]

PHP CSRF Qloapps
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22033 PyPI MEDIUM POC PATCH This Month

Stored XSS in Label Studio's custom_hotkeys feature allows authenticated attackers to inject malicious JavaScript that executes in other users' browsers, potentially enabling API token theft and account takeover due to insufficient CSRF protections. Public exploit code exists for this vulnerability affecting Label Studio 1.22.0 and earlier. An attacker could abuse this to gain unauthorized API access or perform actions on behalf of compromised users.

XSS CSRF Label Studio
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14976 MEDIUM This Month

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22030 npm MEDIUM PATCH This Month

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

React CSRF React Router Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22194 HIGH This Week

GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.

CSRF Gestsup
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-13749 MEDIUM This Month

The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68158 PyPI MEDIUM POC PATCH This Month

Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]

Python CSRF Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-61547 MEDIUM POC This Month

Print Shop Pro Webdesk versions up to 18.34 is affected by cross-site request forgery (csrf) (CVSS 6.8).

CSRF Print Shop Pro Webdesk
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2019-25259 MEDIUM POC This Month

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-31963 LOW Monitor

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by missing authentication for critical function (CVSS 2.9).

CSRF Bigfix Insights For Vulnerability Remediation
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2025-14999 MEDIUM This Month

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. [CVSS 4.3 MEDIUM]

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14904 MEDIUM This Month

Newsletter Email Subscribe (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14845 MEDIUM This Month

NS IE Compatibility Fixer (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14468 MEDIUM This Month

The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14465 MEDIUM This Month

Sticky Action Buttons (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14077 MEDIUM This Month

The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13990 MEDIUM This Month

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as cl...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13657 MEDIUM This Month

HelpDesk contact form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13527 MEDIUM This Month

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13521 MEDIUM This Month

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13520 MEDIUM This Month

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13519 MEDIUM This Month

The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. [CVSS 6.1 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-36918 MEDIUM POC This Month

iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 4.3 MEDIUM]

CSRF
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2020-36913 MEDIUM This Month

All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. [CVSS 5.3 MEDIUM]

PHP Industrial CSRF Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2020-36908 MEDIUM POC This Month

Snapgear Sg560 Firmware versions up to 3.1.5 is affected by cross-site request forgery (csrf) (CVSS 5.3).

CSRF Snapgear Sg560 Firmware
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2020-36906 MEDIUM POC This Month

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. [CVSS 4.3 MEDIUM]

CSRF
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53344 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. [CVSS 4.3 MEDIUM]

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2023-52212 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. [CVSS 5.4 MEDIUM]

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21430 CRITICAL POC Act Now

Emlog 2.5.23 is vulnerable to CSRF in article creation, which chains with stored XSS to achieve account takeover. An attacker can force an admin to create an article containing malicious JavaScript that steals their session. No patch available.

XSS CSRF Emlog
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-12685 MEDIUM This Month

WPBookit WordPre versions up to 1.0.7 contains a vulnerability that allows attackers to an unauthenticated attacker to delete any customer through a CSRF attack (CVSS 6.5).

WordPress CSRF PHP
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15405 MEDIUM POC This Month

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. [CVSS 4.3 MEDIUM]

CSRF Phpems
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-31054 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through <= 2.0.8.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-62123 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62113 MEDIUM This Month

Cross-site request forgery (CSRF) in the Co-marquage service-public.fr WordPress plugin up to version 0.5.77 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and shows minimal exploitation probability (0.01% EPSS), with no public exploit code or active exploitation indicators identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62101 MEDIUM This Month

Cross-site request forgery (CSRF) in Pardakht Delkhah WordPress plugin through version 3.0.0 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious pages. The vulnerability affects all versions up to and including 3.0.0, though no CVSS score or public exploit code has been published. This represents a low-probability exploitation risk (EPSS 0.01%) despite the attack vector being network-accessible, likely due to the social engineering requirement inherent to CSRF attacks.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63040 MEDIUM This Month

Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63014 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62148 MEDIUM This Month

Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62133 MEDIUM This Month

FormFacade WordPress plugin version 1.4.1 and earlier contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but can lead to modification of plugin settings or data depending on affected functionality. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62089 MEDIUM This Month

Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62084 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62080 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59130 MEDIUM This Month

Cross-site request forgery vulnerability in Appointify WordPress plugin versions up to 1.0.8 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects a WordPress plugin used for appointment scheduling, enabling attackers to manipulate plugin functionality without explicit user consent. With an EPSS score of 0.02% (5th percentile), exploitation likelihood is minimal despite the technical severity classification.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62134 MEDIUM This Month

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62120 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62117 MEDIUM This Month

Cross-site request forgery (CSRF) in Jayce53 EasyIndex WordPress plugin versions up to 1.1.1704 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by inducing them to visit malicious web pages. The vulnerability affects all versions from the earliest tracked through 1.1.1704. No public exploit code or confirmed active exploitation has been identified; EPSS probability is minimal at 0.02% (5th percentile), suggesting low real-world exploitation likelihood despite the CSRF vector.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62992 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Everest Backup WordPress plugin versions ≤2.3.11 enables unauthenticated attackers to manipulate backup file paths via path traversal, potentially exposing sensitive files or altering backup integrity. The vulnerability requires user interaction (CVSS UI:R) and carries no authentication requirement (PR:N), allowing remote exploitation through social engineering. EPSS probability of 0.01% (1st percentile) indicates minimal observed exploitation activity in the wild, and no public exploit identified at time of analysis. Despite CVSS 8.1 severity reflecting high confidentiality and integrity impact, real-world risk remains moderate given the user-interaction dependency and absence of active exploitation indicators.

CSRF Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49028 HIGH This Week

Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68885 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49354 HIGH This Week

Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49353 HIGH This Week

Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49345 HIGH This Week

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49344 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49343 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49342 HIGH This Week

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-59137 HIGH This Week

Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49346 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-59131 HIGH This Week

WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-62112 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Easy Property Listings XML/CSV Import plugin for WordPress (versions <= 2.2.1) allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the import functionality and carries minimal real-world exploitation risk based on EPSS scoring (0.02%, 5th percentile), indicating low likelihood of automated exploitation despite the CSRF vector requiring no special privileges or authentication from the attacker's perspective.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-52835 CRITICAL Act Now

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-69021 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68998 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68601 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68584 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery.This issue affects Vimeotheque: from n/a through <= 2.3.5.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68583 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery.This issue affects Fast User Switching: from n/a through <= 1.4.10.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68580 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68573 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery.This issue affects Simple Keyword to Link: from n/a through <= 1.5.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68567 MEDIUM This Month

Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68529 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67625 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery.This issue affects Trade Runner: from n/a through <= 3.14.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67622 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14163 MEDIUM PATCH This Month

Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.

WordPress CSRF Premium Addons For Elementor Elementor
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62880 MEDIUM This Month

Cross-site request forgery (CSRF) in Kunal Custom 404 Pro WordPress plugin through version 3.12.0 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects all versions up to and including 3.12.0, with no CVSS score assigned at the time of analysis. No public exploit code has been identified, and the EPSS score of 0.02% indicates minimal likelihood of active exploitation despite the moderate technical severity of CSRF flaws.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62107 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in PluginOps Feather Login Page WordPress plugin versions up to 1.1.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability stems from missing CSRF token validation on plugin functionality, enabling attackers to craft malicious requests that execute when users visit attacker-controlled pages while logged into sites using the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis; however, the low EPSS score (0.02%) and lack of CVSS data suggest this may represent a lower-severity implementation gap rather than a critical attack vector in typical WordPress deployments.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-1927 HIGH This Week

Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.

CSRF
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14546 PyPI MEDIUM PATCH This Month

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Authentication Bypass CSRF
NVD GitHub
CVSS 4.0
5.4
EPSS
0.2%
CVE-2025-68083 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Meks Meks Quick Plugin Disabler meks-quick-plugin-disabler allows Cross Site Request Forgery.This issue affects Meks Quick Plugin Disabler: from n/a through <= 1.0.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68082 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-64239 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64237 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14354 MEDIUM This Month

Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-34430 Go MEDIUM This Month

Cross-site request forgery in 1Panel versions 1.10.33 through 2.0.15 allows a remote attacker to change an authenticated user's panel name by luring them to a malicious webpage. The panel name management endpoint omits both anti-CSRF tokens and Origin/Referer header validation, so the victim's browser automatically includes valid session cookies when the forged request fires. No public exploit code and no CISA KEV listing exist at time of analysis; real-world impact is limited to low-integrity panel configuration tampering.

CSRF 1panel
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2025-34429 Go HIGH This Week

Cross-site request forgery in 1Panel (versions 1.10.33 through 2.0.15) lets a remote attacker change the TCP port the web management service listens on by luring an authenticated administrator to a malicious webpage. Because the port-change endpoint has no anti-CSRF token or Origin/Referer checks, the victim's browser silently replays valid session cookies, moving the panel off its expected port and causing loss of access, denial of service, or unintended exposure on an attacker-chosen port. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially craftable given the described missing defenses.

CSRF Denial Of Service 1panel
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-34410 Go HIGH This Week

Account lockout denial-of-service in 1Panel (versions 1.10.33 through 2.0.15) allows a remote attacker to forcibly change an authenticated victim's username via a cross-site request forgery flaw in the Change Username endpoint at /settings/panel. Because the endpoint lacks anti-CSRF tokens and Origin/Referer validation, a victim who visits a malicious page while logged in unknowingly submits a username change with valid session cookies, after which they are logged out and locked out of their account. No public exploit identified at time of analysis; disclosed via a VulnCheck advisory with no CISA KEV listing and no EPSS data supplied.

CSRF Denial Of Service 1panel
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-67598 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67596 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67595 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through <= 6.7.0.82.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67593 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 2.4
LOW PATCH Monitor

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. [CVSS 2.4 LOW]

CSRF Pilos
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Appsmith before 1.93 allows attackers to control the Origin header value used as the base URL in password reset and email verification links. Attackers can redirect authentication tokens to their domain, enabling account takeover. PoC available, patch available.

CSRF Appsmith
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. [CVSS 5.4 MEDIUM]

PHP CSRF Qloapps
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS in Label Studio's custom_hotkeys feature allows authenticated attackers to inject malicious JavaScript that executes in other users' browsers, potentially enabling API token theft and account takeover due to insufficient CSRF protections. Public exploit code exists for this vulnerability affecting Label Studio 1.22.0 and earlier. An attacker could abuse this to gain unauthorized API access or perform actions on behalf of compromised users.

XSS CSRF Label Studio
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

React CSRF React Router +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.

CSRF Gestsup
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]

Python CSRF Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Print Shop Pro Webdesk versions up to 18.34 is affected by cross-site request forgery (csrf) (CVSS 6.8).

CSRF Print Shop Pro Webdesk
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 2.9
LOW Monitor

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by missing authentication for critical function (CVSS 2.9).

CSRF Bigfix Insights For Vulnerability Remediation
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. [CVSS 4.3 MEDIUM]

WordPress PHP CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Newsletter Email Subscribe (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

NS IE Compatibility Fixer (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sticky Action Buttons (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as cl...

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

HelpDesk contact form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. [CVSS 6.1 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. [CVSS 4.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM This Month

All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. [CVSS 5.3 MEDIUM]

PHP Industrial CSRF +1
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Snapgear Sg560 Firmware versions up to 3.1.5 is affected by cross-site request forgery (csrf) (CVSS 5.3).

CSRF Snapgear Sg560 Firmware
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. [CVSS 4.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. [CVSS 5.4 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Emlog 2.5.23 is vulnerable to CSRF in article creation, which chains with stored XSS to achieve account takeover. An attacker can force an admin to create an article containing malicious JavaScript that steals their session. No patch available.

XSS CSRF Emlog
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

WPBookit WordPre versions up to 1.0.7 contains a vulnerability that allows attackers to an unauthenticated attacker to delete any customer through a CSRF attack (CVSS 6.5).

WordPress CSRF PHP
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. [CVSS 4.3 MEDIUM]

CSRF Phpems
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through <= 2.0.8.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in the Co-marquage service-public.fr WordPress plugin up to version 0.5.77 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and shows minimal exploitation probability (0.01% EPSS), with no public exploit code or active exploitation indicators identified.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in Pardakht Delkhah WordPress plugin through version 3.0.0 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious pages. The vulnerability affects all versions up to and including 3.0.0, though no CVSS score or public exploit code has been published. This represents a low-probability exploitation risk (EPSS 0.01%) despite the attack vector being network-accessible, likely due to the social engineering requirement inherent to CSRF attacks.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

FormFacade WordPress plugin version 1.4.1 and earlier contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but can lead to modification of plugin settings or data depending on affected functionality. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been identified.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery vulnerability in Appointify WordPress plugin versions up to 1.0.8 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects a WordPress plugin used for appointment scheduling, enabling attackers to manipulate plugin functionality without explicit user consent. With an EPSS score of 0.02% (5th percentile), exploitation likelihood is minimal despite the technical severity classification.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery (CSRF) in Jayce53 EasyIndex WordPress plugin versions up to 1.1.1704 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by inducing them to visit malicious web pages. The vulnerability affects all versions from the earliest tracked through 1.1.1704. No public exploit code or confirmed active exploitation has been identified; EPSS probability is minimal at 0.02% (5th percentile), suggesting low real-world exploitation likelihood despite the CSRF vector.

CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Everest Backup WordPress plugin versions ≤2.3.11 enables unauthenticated attackers to manipulate backup file paths via path traversal, potentially exposing sensitive files or altering backup integrity. The vulnerability requires user interaction (CVSS UI:R) and carries no authentication requirement (PR:N), allowing remote exploitation through social engineering. EPSS probability of 0.01% (1st percentile) indicates minimal observed exploitation activity in the wild, and no public exploit identified at time of analysis. Despite CVSS 8.1 severity reflecting high confidentiality and integrity impact, real-world risk remains moderate given the user-interaction dependency and absence of active exploitation indicators.

CSRF Path Traversal
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Easy Property Listings XML/CSV Import plugin for WordPress (versions <= 2.2.1) allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the import functionality and carries minimal real-world exploitation risk based on EPSS scoring (0.02%, 5th percentile), indicating low likelihood of automated exploitation despite the CSRF vector requiring no special privileges or authentication from the attacker's perspective.

CSRF
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

WordPress CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery.This issue affects Vimeotheque: from n/a through <= 2.3.5.2.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery.This issue affects Fast User Switching: from n/a through <= 1.4.10.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery.This issue affects Simple Keyword to Link: from n/a through <= 1.5.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery.This issue affects Trade Runner: from n/a through <= 3.14.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.

WordPress CSRF Premium Addons For Elementor +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in Kunal Custom 404 Pro WordPress plugin through version 3.12.0 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects all versions up to and including 3.12.0, with no CVSS score assigned at the time of analysis. No public exploit code has been identified, and the EPSS score of 0.02% indicates minimal likelihood of active exploitation despite the moderate technical severity of CSRF flaws.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in PluginOps Feather Login Page WordPress plugin versions up to 1.1.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability stems from missing CSRF token validation on plugin functionality, enabling attackers to craft malicious requests that execute when users visit attacker-controlled pages while logged into sites using the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis; however, the low EPSS score (0.02%) and lack of CVSS data suggest this may represent a lower-severity implementation gap rather than a critical attack vector in typical WordPress deployments.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.

CSRF
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Meks Meks Quick Plugin Disabler meks-quick-plugin-disabler allows Cross Site Request Forgery.This issue affects Meks Quick Plugin Disabler: from n/a through <= 1.0.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.

WordPress CSRF
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site request forgery in 1Panel versions 1.10.33 through 2.0.15 allows a remote attacker to change an authenticated user's panel name by luring them to a malicious webpage. The panel name management endpoint omits both anti-CSRF tokens and Origin/Referer header validation, so the victim's browser automatically includes valid session cookies when the forged request fires. No public exploit code and no CISA KEV listing exist at time of analysis; real-world impact is limited to low-integrity panel configuration tampering.

CSRF 1panel
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Cross-site request forgery in 1Panel (versions 1.10.33 through 2.0.15) lets a remote attacker change the TCP port the web management service listens on by luring an authenticated administrator to a malicious webpage. Because the port-change endpoint has no anti-CSRF token or Origin/Referer checks, the victim's browser silently replays valid session cookies, moving the panel off its expected port and causing loss of access, denial of service, or unintended exposure on an attacker-chosen port. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially craftable given the described missing defenses.

CSRF Denial Of Service 1panel
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Account lockout denial-of-service in 1Panel (versions 1.10.33 through 2.0.15) allows a remote attacker to forcibly change an authenticated victim's username via a cross-site request forgery flaw in the Change Username endpoint at /settings/panel. Because the endpoint lacks anti-CSRF tokens and Origin/Referer validation, a victim who visits a malicious page while logged in unknowingly submits a username change with valid session cookies, after which they are logged out and locked out of their account. No public exploit identified at time of analysis; disclosed via a VulnCheck advisory with no CISA KEV listing and no EPSS data supplied.

CSRF Denial Of Service 1panel
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through <= 6.7.0.82.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48.

CSRF
NVD
Prev Page 10 of 94 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy