Skip to main content

CSRF

8445 CVEs technique

Monthly

CVE-2025-54041 MEDIUM This Month

Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54039 MEDIUM This Month

Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54038 MEDIUM This Month

Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-54036 MEDIUM This Month

Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54035 MEDIUM This Month

Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54033 MEDIUM This Month

Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.

CSRF
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54030 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.

WordPress CSRF Google
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54022 MEDIUM This Month

Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).

CSRF
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54020 MEDIUM This Month

Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-54010 CRITICAL Act Now

Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-48153 HIGH This Week

Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-43856 HIGH PATCH This Week

Immich versions prior to 1.132.0 are vulnerable to account hijacking through OAuth2 state parameter validation bypass (CWE-303). An attacker can perform unauthorized account linkage by exploiting missing state parameter verification, allowing them to hijack victim accounts through crafted OAuth login URLs or hidden iframes embedded in malicious webpages. This vulnerability is particularly dangerous when OAuth providers are publicly accessible, and affected users can be compromised without direct interaction if the /user-settings redirect_uri is configured.

Google CSRF
NVD GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2025-49462 LOW PATCH Monitor

Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access.

XSS CSRF
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-7379 MEDIUM PATCH This Month

A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.

CSRF
NVD
CVSS 4.0
5.2
EPSS
0.0%
CVE-2025-53540 HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

RCE CSRF
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-20322 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

CSRF Denial Of Service Splunk Cloud Platform Splunk
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-20321 MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

CSRF Splunk Splunk Cloud Platform
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-7133 LOW POC Monitor

A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-7078 LOW POC Monitor

A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-53483 HIGH PATCH This Week

ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

PHP CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-53569 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Trust Payments Trust Payments Gateway for WooCommerce (JavaScript Library) allows Cross Site Request Forgery. This issue affects Trust Payments Gateway for WooCommerce (JavaScript Library): from n/a through 1.3.6.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53568 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station allows Cross Site Request Forgery. This issue affects Radio Station: from n/a through 2.5.12.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-23972 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brian S. Reed Contact Form 7 reCAPTCHA allows Cross Site Request Forgery. This issue affects Contact Form 7 reCAPTCHA: from n/a through 1.2.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-6041 MEDIUM This Month

The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-5933 MEDIUM This Month

The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-5924 MEDIUM This Month

The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Wp Firebase Push Notification PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-27454 MEDIUM This Month

The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request that they did not intend. The request uses the victim's browser's saved authorization to execute the request.

CSRF Meac300 Fnade4 Firmware
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-52841 HIGH POC This Week

Cross-Site Request Forgery (CSRF) vulnerability in Laundry on Linux, MacOS allows to perform an Account Takeover. This issue affects Laundry: 2.3.0.

Apple CSRF Laundry macOS
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-52463 LOW Monitor

Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.

CSRF
NVD
CVSS 3.0
3.1
EPSS
0.0%
CVE-2025-6459 HIGH This Week

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP WordPress CSRF Ads Pro
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-34050 MEDIUM POC This Month

A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.

CSRF
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-53095 CRITICAL PATCH Act Now

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

CSRF Command Injection Sunshine
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-24289 HIGH PATCH This Week

A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default.

XSS CSRF Privilege Escalation
NVD
CVSS 3.0
7.5
EPSS
0.0%
CVE-2025-6865 LOW POC Monitor

A vulnerability, which was classified as problematic, was found in DaiCuo up to 1.3.13. This affects an unknown part of the file /admin.php/addon/index. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-6864 LOW POC Monitor

A vulnerability, which was classified as problematic, has been found in SeaCMS up to 13.2. Affected by this issue is some unknown functionality of the file /admin_type.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-5937 MEDIUM PATCH This Month

The MicroPayments - Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Micropayments PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-50370 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete inquiry records via a simple GET request, without requiring a CSRF token or validating the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-50369 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Manage Card functionality (/mcgs/admin/manage-card.php) of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical card records by sending a simple GET request without verifying the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53338 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53332 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ethoseo Track Everything allows Stored XSS. This issue affects Track Everything: from n/a through 2.0.1.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53331 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53329 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53327 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in rui_mashita Aioseo Multibyte Descriptions allows Cross Site Request Forgery. This issue affects Aioseo Multibyte Descriptions: from n/a through 0.0.6.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53317 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in AcmeeDesign WPShapere Lite allows Stored XSS. This issue affects WPShapere Lite: from n/a through 1.4.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53315 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in alanft Relocate Upload allows Stored XSS. This issue affects Relocate Upload: from n/a through 0.24.1.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53314 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in sh1zen WP Optimizer allows SQL Injection. This issue affects WP Optimizer: from n/a through 2.3.6.

CSRF SQLi
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-53313 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53312 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Looks Awesome OnionBuzz allows Stored XSS. This issue affects OnionBuzz: from n/a through 1.0.7.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53311 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53310 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Funnnny HidePost allows Reflected XSS. This issue affects HidePost: from n/a through 2.3.8.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53308 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in gopi_plus Image Slider With Description allows Stored XSS. This issue affects Image Slider With Description: from n/a through 9.2.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53305 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in lucidcrew WP Forum Server allows Stored XSS. This issue affects WP Forum Server: from n/a through 1.8.2.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53277 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-53274 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Hossin Asaadi WP Permalink Translator allows Stored XSS. This issue affects WP Permalink Translator: from n/a through 1.7.6.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53273 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Slickstream Slickstream allows Cross Site Request Forgery. This issue affects Slickstream: from n/a through 2.0.3.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53272 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in opicron Image Cleanup allows Cross Site Request Forgery. This issue affects Image Cleanup: from n/a through 1.9.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53271 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Anton Bond Additional Order Filters for WooCommerce allows Stored XSS. This issue affects Additional Order Filters for WooCommerce: from n/a through 1.22.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53270 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA allows Cross Site Request Forgery. This issue affects WordPress CTA: from n/a through 1.6.9.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53269 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in imw3 My Wp Brand allows Cross Site Request Forgery. This issue affects My Wp Brand: from n/a through 1.1.3.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53268 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ryanpcmcquen Import external attachments allows Cross Site Request Forgery. This issue affects Import external attachments: from n/a through 1.5.12.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53267 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Husain Hide Admin Bar From Front End allows Cross Site Request Forgery. This issue affects Hide Admin Bar From Front End: from n/a through 1.0.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53265 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Elena Yamshikova Virusdie allows Cross Site Request Forgery. This issue affects Virusdie: from n/a through 1.1.3.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-53264 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Konrád Koller ONet Regenerate Thumbnails allows Cross Site Request Forgery. This issue affects ONet Regenerate Thumbnails: from n/a through 1.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53263 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in PluginsCafe Address Autocomplete via Google for Gravity Forms allows Cross Site Request Forgery. This issue affects Address Autocomplete via Google for Gravity Forms: from n/a through 1.3.4.

Google CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-53262 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Writesonic Writesonic allows Cross Site Request Forgery. This issue affects Writesonic: from n/a through 1.0.4.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-53261 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53254 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53203 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder allows Cross Site Request Forgery. This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.148.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53197 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-53193 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-5936 MEDIUM This Month

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Vr Calendar PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-48921 HIGH PATCH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.

CSRF Open Social Drupal
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-48497 MEDIUM This Month

Cross-site request forgery vulnerability exists in iroha Board versions v0.10.12 and earlier. If a user accesses a specially crafted URL while being logged in to the affected product, arbitrary learning histories may be registered.

CSRF Iroha Board
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2025-5932 MEDIUM This Month

The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-6664 LOW POC Monitor

A vulnerability, which was classified as problematic, was found in CodeAstro Patient Record Management System 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-50179 MEDIUM PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a cross-site request forgery vulnerability in Tuleap Community Edition prior to version 16.8.99.1749830289 and Tuleap Enterprise Edition prior to version 16.9-1 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1749830289 and Tuleap Enterprise Edition 16.9-1 contain a patch for the issue.

CSRF Tuleap
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-48991 MEDIUM PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a vulnerability present in Tuleap Community Edition prior to version 16.8.99.1748845907 and Tuleap Enterprise Edition prior to versions 16.8-3 and 16.7-5 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1748845907, Tuleap Enterprise Edition 16.8-3, and Tuleap Enterprise Edition 16.7-5 contain a fix for the vulnerability.

CSRF Tuleap
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-52968 LOW PATCH Monitor

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

CSRF Ubuntu Debian
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-6478 LOW Monitor

A vulnerability was found in CodeAstro Expense Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely.

CSRF
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-6476 LOW POC Monitor

A vulnerability was found in SourceCodester Gym Management System 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2024-4994 HIGH POC PATCH This Week

CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.

CSRF Gitlab RCE
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52825 HIGH This Week

A privilege escalation vulnerability in Rameez Iqbal Real Estate Manager allows Privilege Escalation (CVSS 8.8). High severity vulnerability requiring prompt remediation.

CSRF Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-52795 HIGH This Week

CVE-2025-52795 is a Cross-Site Request Forgery (CSRF) vulnerability in the aharonyan WP Front User Submit / Front Editor WordPress plugin (versions up to 4.9.4) that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 with high availability impact, enabling attackers to modify or delete user-submitted content through malicious web requests without user consent.

CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52794 HIGH This Week

CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52793 HIGH This Week

CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52792 HIGH This Week

CVE-2025-52792 is a Cross-Site Request Forgery (CSRF) vulnerability in the vgstef WP User Stylesheet Switcher WordPress plugin (versions up to v2.2.0) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a simple network request with user interaction to inject malicious scripts that execute in victims' browsers, potentially compromising user sessions and data. The vulnerability has not been confirmed as actively exploited in the wild, though the high CVSS score (7.1) and network-accessible attack vector indicate practical exploitability.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52791 HIGH This Week

CVE-2025-52791 is a CSRF vulnerability in devfelixmoira Knowledge Base Maker (versions up to 1.1.8) that enables Stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can affect multiple users through stored payloads, with a CVSS score of 7.1 indicating medium-high severity. No KEV listing or confirmed EPSS data is available in public sources, and patch availability status requires verification with the vendor.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52790 HIGH This Week

CVE-2025-52790 is a CSRF vulnerability in the r-win WP-DownloadCounter WordPress plugin (versions through 1.01) that enables Stored XSS attacks. An attacker can craft malicious requests that, when clicked by an administrator, inject persistent JavaScript into the plugin's data storage, affecting all site visitors. The CVSS 7.1 score reflects moderate severity with network-based attack delivery and user interaction requirements, though the actual exploitability and active exploitation status require verification against KEV and EPSS data.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52789 HIGH This Week

A cross-site scripting vulnerability in George Lewe Lewe ChordPress allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52784 HIGH This Week

CVE-2025-52784 is a Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post that enables Stored XSS attacks, affecting versions through 1.1.1. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in victims' browsers when they view affected content, potentially leading to session hijacking, credential theft, or defacement. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world risk.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.

CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.

WordPress CSRF Google
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.

CSRF
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.

CSRF XSS
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Immich versions prior to 1.132.0 are vulnerable to account hijacking through OAuth2 state parameter validation bypass (CWE-303). An attacker can perform unauthorized account linkage by exploiting missing state parameter verification, allowing them to hijack victim accounts through crafted OAuth login URLs or hidden iframes embedded in malicious webpages. This vulnerability is particularly dangerous when OAuth providers are publicly accessible, and affected users can be compromised without direct interaction if the /user-settings redirect_uri is configured.

Google CSRF
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access.

XSS CSRF
NVD
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.

CSRF
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1.

RCE CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.

CSRF Denial Of Service Splunk Cloud Platform +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

CSRF Splunk Splunk Cloud Platform
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.

PHP CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Trust Payments Trust Payments Gateway for WooCommerce (JavaScript Library) allows Cross Site Request Forgery. This issue affects Trust Payments Gateway for WooCommerce (JavaScript Library): from n/a through 1.3.6.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station allows Cross Site Request Forgery. This issue affects Radio Station: from n/a through 2.5.12.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brian S. Reed Contact Form 7 reCAPTCHA allows Cross Site Request Forgery. This issue affects Contact Form 7 reCAPTCHA: from n/a through 1.2.0.

CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Wp Firebase Push Notification +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request that they did not intend. The request uses the victim's browser's saved authorization to execute the request.

CSRF Meac300 Fnade4 Firmware
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Cross-Site Request Forgery (CSRF) vulnerability in Laundry on Linux, MacOS allows to perform an Account Takeover. This issue affects Laundry: 2.3.0.

Apple CSRF Laundry +1
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.

CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PHP WordPress CSRF +1
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the device configuration without user interaction.

CSRF
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

CSRF Command Injection Sunshine
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default.

XSS CSRF Privilege Escalation
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as problematic, was found in DaiCuo up to 1.3.13. This affects an unknown part of the file /admin.php/addon/index. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as problematic, has been found in SeaCMS up to 13.2. Affected by this issue is some unknown functionality of the file /admin_type.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The MicroPayments - Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Micropayments +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete inquiry records via a simple GET request, without requiring a CSRF token or validating the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Manage Card functionality (/mcgs/admin/manage-card.php) of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical card records by sending a simple GET request without verifying the origin of the request.

PHP CSRF Medical Card Generation System
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ethoseo Track Everything allows Stored XSS. This issue affects Track Everything: from n/a through 2.0.1.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in rui_mashita Aioseo Multibyte Descriptions allows Cross Site Request Forgery. This issue affects Aioseo Multibyte Descriptions: from n/a through 0.0.6.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in AcmeeDesign WPShapere Lite allows Stored XSS. This issue affects WPShapere Lite: from n/a through 1.4.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in alanft Relocate Upload allows Stored XSS. This issue affects Relocate Upload: from n/a through 0.24.1.

XSS CSRF
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in sh1zen WP Optimizer allows SQL Injection. This issue affects WP Optimizer: from n/a through 2.3.6.

CSRF SQLi
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Looks Awesome OnionBuzz allows Stored XSS. This issue affects OnionBuzz: from n/a through 1.0.7.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Funnnny HidePost allows Reflected XSS. This issue affects HidePost: from n/a through 2.3.8.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in gopi_plus Image Slider With Description allows Stored XSS. This issue affects Image Slider With Description: from n/a through 9.2.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in lucidcrew WP Forum Server allows Stored XSS. This issue affects WP Forum Server: from n/a through 1.8.2.

XSS CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Hossin Asaadi WP Permalink Translator allows Stored XSS. This issue affects WP Permalink Translator: from n/a through 1.7.6.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Slickstream Slickstream allows Cross Site Request Forgery. This issue affects Slickstream: from n/a through 2.0.3.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in opicron Image Cleanup allows Cross Site Request Forgery. This issue affects Image Cleanup: from n/a through 1.9.2.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Anton Bond Additional Order Filters for WooCommerce allows Stored XSS. This issue affects Additional Order Filters for WooCommerce: from n/a through 1.22.

WordPress CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA allows Cross Site Request Forgery. This issue affects WordPress CTA: from n/a through 1.6.9.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in imw3 My Wp Brand allows Cross Site Request Forgery. This issue affects My Wp Brand: from n/a through 1.1.3.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ryanpcmcquen Import external attachments allows Cross Site Request Forgery. This issue affects Import external attachments: from n/a through 1.5.12.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Husain Hide Admin Bar From Front End allows Cross Site Request Forgery. This issue affects Hide Admin Bar From Front End: from n/a through 1.0.0.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Elena Yamshikova Virusdie allows Cross Site Request Forgery. This issue affects Virusdie: from n/a through 1.1.3.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Konrád Koller ONet Regenerate Thumbnails allows Cross Site Request Forgery. This issue affects ONet Regenerate Thumbnails: from n/a through 1.5.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in PluginsCafe Address Autocomplete via Google for Gravity Forms allows Cross Site Request Forgery. This issue affects Address Autocomplete via Google for Gravity Forms: from n/a through 1.3.4.

Google CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Writesonic Writesonic allows Cross Site Request Forgery. This issue affects Writesonic: from n/a through 1.0.4.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder allows Cross Site Request Forgery. This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.148.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF Vr Calendar +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.

CSRF Open Social Drupal
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery vulnerability exists in iroha Board versions v0.10.12 and earlier. If a user accesses a specially crafted URL while being logged in to the affected product, arbitrary learning histories may be registered.

CSRF Iroha Board
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress CSRF
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability, which was classified as problematic, was found in CodeAstro Patient Record Management System 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a cross-site request forgery vulnerability in Tuleap Community Edition prior to version 16.8.99.1749830289 and Tuleap Enterprise Edition prior to version 16.9-1 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1749830289 and Tuleap Enterprise Edition 16.9-1 contain a patch for the issue.

CSRF Tuleap
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a vulnerability present in Tuleap Community Edition prior to version 16.8.99.1748845907 and Tuleap Enterprise Edition prior to versions 16.8-3 and 16.7-5 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1748845907, Tuleap Enterprise Edition 16.8-3, and Tuleap Enterprise Edition 16.7-5 contain a fix for the vulnerability.

CSRF Tuleap
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.

CSRF Ubuntu Debian
NVD
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability was found in CodeAstro Expense Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely.

CSRF
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in SourceCodester Gym Management System 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.

CSRF Gitlab RCE
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A privilege escalation vulnerability in Rameez Iqbal Real Estate Manager allows Privilege Escalation (CVSS 8.8). High severity vulnerability requiring prompt remediation.

CSRF Privilege Escalation
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52795 is a Cross-Site Request Forgery (CSRF) vulnerability in the aharonyan WP Front User Submit / Front Editor WordPress plugin (versions up to 4.9.4) that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 with high availability impact, enabling attackers to modify or delete user-submitted content through malicious web requests without user consent.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52792 is a Cross-Site Request Forgery (CSRF) vulnerability in the vgstef WP User Stylesheet Switcher WordPress plugin (versions up to v2.2.0) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a simple network request with user interaction to inject malicious scripts that execute in victims' browsers, potentially compromising user sessions and data. The vulnerability has not been confirmed as actively exploited in the wild, though the high CVSS score (7.1) and network-accessible attack vector indicate practical exploitability.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52791 is a CSRF vulnerability in devfelixmoira Knowledge Base Maker (versions up to 1.1.8) that enables Stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can affect multiple users through stored payloads, with a CVSS score of 7.1 indicating medium-high severity. No KEV listing or confirmed EPSS data is available in public sources, and patch availability status requires verification with the vendor.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52790 is a CSRF vulnerability in the r-win WP-DownloadCounter WordPress plugin (versions through 1.01) that enables Stored XSS attacks. An attacker can craft malicious requests that, when clicked by an administrator, inject persistent JavaScript into the plugin's data storage, affecting all site visitors. The CVSS 7.1 score reflects moderate severity with network-based attack delivery and user interaction requirements, though the actual exploitability and active exploitation status require verification against KEV and EPSS data.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

A cross-site scripting vulnerability in George Lewe Lewe ChordPress allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CVE-2025-52784 is a Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post that enables Stored XSS attacks, affecting versions through 1.1.1. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in victims' browsers when they view affected content, potentially leading to session hijacking, credential theft, or defacement. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world risk.

CSRF XSS
NVD
Prev Page 16 of 94 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy