CSRF
Monthly
Cross-origin data leakage in Google Chrome's Autofill component prior to version 149.0.7827.53 enables remote attackers to exfiltrate sensitive data from other origins by enticing a victim to visit a crafted HTML page. Despite a CVSS score of 7.5 reflecting high confidentiality impact, the EPSS score of 0.03% and Chromium's own 'Low' severity rating indicate limited real-world risk, and no public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a user to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network-exploitable, no-privilege-required exploitation with a single user interaction as the only barrier. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation interest despite the low attack complexity.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to read sensitive cross-origin information by directing a victim to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no privilege requirement, limited only by the need for user interaction. EPSS is 0.03% (11th percentile) and no public exploit has been identified at time of analysis; however, Google has issued a confirmed patch in the stable channel release, and the CWE-352/CSRF tag alongside the data-leakage description suggests a novel or hybrid attack class that security teams should monitor for further clarification.
Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.
Cross-origin data leakage in Google Chrome's Paint component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to read sensitive cross-origin data by tricking a user into visiting a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's rendering Paint subsystem that fails to properly enforce cross-origin isolation boundaries. EPSS is low at 0.03% and no active exploitation is confirmed in CISA KEV, but the high confidentiality impact (C:H) combined with low attack complexity and no required privileges makes this a meaningful data-exfiltration risk for browser users visiting untrusted web content.
Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive data from cross-origin resources by luring victims to a crafted HTML page. The flaw is rooted in an inappropriate implementation in Chrome's Media subsystem, tagged with CSRF characteristics, allowing an attacker-controlled page to read content from origins the victim is authenticated to. EPSS is low at 0.03% and no public exploit or CISA KEV listing has been identified at time of analysis.
Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) enables a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. The flaw is classified under CWE-352 (Cross-Site Request Forgery), indicating the Extensions implementation incorrectly handles cross-origin request validation in a way that bypasses same-origin isolation boundaries. No public exploit has been identified at time of analysis, and an EPSS score of 0.03% (11th percentile) signals low current exploitation probability despite the High confidentiality impact rating.
Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive information from cross-origin pages by luring a victim to a crafted HTML page. The CVSS vector confirms unauthenticated network access with high confidentiality impact (C:H), though user interaction is required (UI:R). No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates low near-term mass exploitation probability, aligning with the Chromium team's 'Medium' severity rating.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Cross-site request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to hijack administrator accounts by tricking an authenticated admin into visiting a malicious page. The `/configUpdate` endpoint accepts state-changing requests without enforcing POST or validating anti-CSRF tokens, and because the session cookie uses SameSite=Lax it remains attached to top-level cross-site navigations. No public exploit identified at time of analysis, but the fix is explicitly called out in the v2.17.1 release notes.
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. No public exploit has been identified and this is not listed in the CISA KEV catalog, but the patch to version 2.2.5 is confirmed via GitHub Security Advisory GHSA-pmpw-2xvh-5xj6.
Cross-Site Request Forgery in the Laiser Tag WordPress plugin (versions up to and including 1.2.5) allows unauthenticated remote attackers to overwrite critical plugin settings - including API keys, tag blacklists, relevance thresholds, batch sizes, and tagging toggles - by tricking a logged-in site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation on the addOptionsPageFields function, as identified by Wordfence and corroborated by source references pointing to Tagging.php and adminOptionPage.php in the plugin's trunk. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world exploitation opportunity relatively constrained by the required administrator interaction.
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Cross-Site Request Forgery in the Remove NoFollow Commenter URL WordPress plugin (all versions ≤ 1.0) allows unauthenticated remote attackers to modify the plugin's comment-display settings by tricking a logged-in site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation in the `gmz_comment_settings_save` function, meaning the plugin accepts state-changing POST requests without verifying they originated from a legitimate admin session. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects the required user interaction as a meaningful limiting factor.
Cross-Site Request Forgery in the Tectite Forms WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by inducing an authenticated administrator to click a crafted link. The vulnerable surface is the admin_init function, which lacks proper nonce validation (CWE-352), permitting forged requests to alter options such as tectite_forms_button. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Cross-site request forgery in the Google Plus One Bottom WordPress plugin (all versions ≤ 0.0.2) enables unauthenticated remote attackers to overwrite plugin settings stored in the WordPress database by tricking an authenticated administrator into clicking a crafted link. The root cause is missing nonce validation in the googlePlusOneAdmin function, exposing the plusone-lang, plusone-callback, and plusone-url options to unauthorized modification. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the social-engineering dependency is the primary limiting factor rather than any technical barrier.
Cross-Site Request Forgery in the BirdSeed WordPress plugin (all versions up to and including 2.2.0) enables unauthenticated remote attackers to overwrite the plugin's API token by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from birdseed_plugin_settings_page() accepting the birdseed_token GET parameter and persisting it via update_option() with no nonce verification, bypassing WordPress's standard CSRF protection entirely. No public exploit has been identified at time of analysis; CVSS rates this Medium (4.3) reflecting narrow integrity impact limited to token replacement.
ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in the DeepAI platform's account management API allows unauthenticated remote attackers to change an authenticated user's registered email address, enabling full account takeover. The POST endpoint at https://api.deepai.org/change_user_email accepts state-changing requests without any CSRF token or origin validation, meaning a browser will automatically include session credentials when the request is triggered from a third-party page. The vulnerability was fixed server-side on 2026-05-20 per the CVE description; no public exploit or CISA KEV listing is associated with this CVE at time of analysis.
Cross-Site Request Forgery in SOPlanning 1.55 and below allows unauthenticated remote attackers to perform unauthorized group management operations - create, modify, or delete groups - by tricking an authenticated user into visiting a malicious webpage. The vulnerability affects the groupe_save endpoints, which accept forged GET or POST requests without validating request origin. No public exploit has been identified at time of analysis, and no KEV listing exists, but the low attack complexity and lack of privilege requirements for the attacker make social engineering viable against any authenticated user session.
Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.
Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.
Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.
Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.
Cross-site request forgery in Admidio's registration module (`modules/registration.php`) allows an unauthenticated attacker to force a password reset on any user account by tricking a registration-administrator into visiting a malicious page. The `send_login` mode uniquely omits the `SecurityUtils::validateCsrfToken()` check present in all four sibling branches, and unconditionally accepts GET requests, meaning a single `<img src=...>` tag is sufficient to trigger the attack - no form submission or JavaScript required. Publicly available exploit code confirmed against HEAD commit c5cde53; no active exploitation in CISA KEV at time of analysis.
Broken access control in Admidio's `modules/categories.php` allows any authenticated module-administrator to permanently delete, reorder, or rename category records belonging to modules they do not administer. An Announcements administrator, for example, can destroy Role categories, Event calendars, or Profile-field categories by supplying a foreign category UUID while passing their own authorized module type as the `type` GET parameter, bypassing a per-record authorization check that is permanently dead code. A detailed working proof-of-concept is publicly available, demonstrated on a fresh Admidio install; no public exploit identified at time of analysis as CISA KEV-confirmed active exploitation, but the CVSS 6.5 (PR:L, I:H) reflects real data-destruction risk in any Admidio deployment that delegates module-admin rights to non-superadmin users.
Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Froxlor 2.3.6 allows an authenticated low-privileged customer with shell delegation enabled to assign an arbitrary login shell (e.g., /bin/bash) to an FTP account, escaping the administrator-defined system.available_shells whitelist. On default Debian-based deployments using nssextrausers, a root-owned cron job propagates the attacker-chosen shell into /var/lib/extrausers/passwd, converting the FTP-only account into an interactive host shell account. Publicly available exploit code exists (POC published in the GHSA advisory); no public exploit identified at time of analysis as being actively used in the wild.
Cross-Site Request Forgery in the Media Library Assistant WordPress plugin versions 3.35 and earlier allows remote attackers to coerce authenticated administrators into executing bulk delete, edit, or purge actions against plugin settings and attachment metadata. The flaw stems from missing nonce checks on bulk action handlers across multiple settings tabs and was reported by Wordfence. There is no public exploit identified at time of analysis and no CISA KEV listing, but the high CVSS of 8.1 reflects significant integrity and availability impact if a logged-in admin is lured to a malicious page.
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.
CSRF middleware bypass in Budibase Worker allows unauthenticated remote attackers to forge state-changing requests against any Worker API endpoint by injecting a public route pattern into the query string. Affected versions prior to 3.35.4 are exposed to privilege escalation actions including sending admin invites, modifying global configuration, and managing users - all without a valid CSRF token. User interaction is required (CVSS UI:R), limiting opportunistic mass exploitation, though proof-of-concept exploit code exists per SSVC assessment. No active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.
Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.
Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.
Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.
Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.
Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.
Cross-Site Request Forgery in CDN Linker lite WordPress plugin (versions up to and including 1.3.1) enables unauthenticated remote attackers to hijack a site's CDN URL by tricking a logged-in administrator into triggering a forged request. The vulnerable function, ossdl_off_options(), lacks proper nonce validation, meaning an attacker who successfully engineers admin interaction can repoint all static asset references - JavaScript, CSS, images - to an attacker-controlled domain. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects low current exploitation probability.
Cross-Site Request Forgery in the Search Simple Fields WordPress plugin (versions ≤ 0.2) enables unauthenticated remote attackers to modify plugin configuration by tricking an authenticated site administrator into clicking a crafted link. The root cause is absent or incorrect nonce validation in the `search_simple_fields_options()` function within `functions_admin.php`, allowing forged HTTP requests to alter settings such as post types, custom fields, media fields, and the custom media function name. No active exploitation is confirmed (no CISA KEV listing, EPSS at 0.01%, SSVC exploitation status: none), making this a low-urgency but straightforward finding on affected WordPress installations.
Cross-Site Request Forgery in the auto making JSON-LD WordPress plugin (all versions through 4.5.3) enables unauthenticated remote attackers to overwrite the plugin's license key option and trigger unauthorized installation of pro components by inducing an authenticated administrator to visit a malicious page. The vulnerability originates from absent or incorrect nonce validation in the `amJL_certification` function (settings/certification.php), bypassing WordPress's built-in CSRF protection and cascading into downstream calls to `amJL_is_license_valid()` and `amJL_download_and_install_pro_features()`. No public exploit has been identified at time of analysis; EPSS is 0.01% (2nd percentile) and SSVC confirms no known exploitation.
Cross-Site Request Forgery in WP AutoBuzz (WordPress plugin, all versions ≤1.1.1) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious scripts by tricking an authenticated administrator into clicking a crafted link. The attack carries particular severity because the unsanitized value is written directly via WordPress's update_option at the plugin level, entirely bypassing the DISALLOW_UNFILTERED_HTML hardening constant that would otherwise block unfiltered HTML in post content. No public exploit code and no active exploitation have been identified at time of analysis; EPSS is 0.02% and SSVC classifies exploitation status as none.
Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3.
Cross-Site Request Forgery in the Genzel breadcrumbs WordPress plugin (all versions ≤1.2) enables unauthenticated attackers to silently overwrite breadcrumb configuration - including templates, delimiters, home labels, URIs, and routing rules - by tricking a logged-in administrator into loading a forged request. The flaw is rooted in absent nonce validation inside the _options_page function, confirmed at gb.class.php lines 412 and 424 and page-options.php line 16. No public exploit identified at time of analysis; EPSS of 0.01% (2nd percentile) signals negligible mass-exploitation probability.
Cross-Site Request Forgery in the Old Posts Highlighter WordPress plugin (all versions ≤1.0.3) enables unauthenticated network attackers to modify the plugin's configuration settings without authorization, provided they can socially engineer an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect WordPress nonce validation in the OPH_options function within OPH_admin.php, a standard anti-CSRF control in the WordPress plugin ecosystem. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects minimal observed exploitation pressure.
Cross-Site Request Forgery in the CM Ad Changer WordPress plugin (all versions ≤ 2.0.7) allows permanent, irreversible deletion of advertising campaigns, associated banner records, and uploaded media files without any attacker authentication. The root cause is absent or incorrect nonce validation in the cmac_campaigns_action function, meaning forged HTTP requests bypass WordPress's standard CSRF defenses entirely. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at the 2nd percentile, but the social-engineering bar - tricking one administrator into clicking a link - is low, making this a meaningful integrity risk for ad-dependent WordPress deployments.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.
Cross-site request forgery in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to perform unauthorized state-changing actions by tricking an authenticated user into visiting a malicious page. The CVSS 4.0 vector (VI:L, SC:N/SI:N/SA:N) confirms impact is limited to low-level integrity degradation on the vulnerable system with no confidentiality or availability consequence. A publicly available exploit (PoC HTML page and advisory) has been released to GitHub by researcher NARKHEDE-VAIBHAV; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
CSRF token validation is absent on the admin user activation endpoint (com_users component) in Joomla! CMS 6.0.0 through 6.1.0, allowing a remote attacker to trigger unauthorized user activation actions by luring an authenticated administrator into visiting a crafted page. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires an active, logged-in administrator and deliberate user interaction, constraining real-world risk despite the network-accessible attack vector. No public exploit code exists and CISA has not added this to KEV; EPSS places exploitation probability at 0.02% (5th percentile), consistent with SSVC's 'none' exploitation status.
Server-side request forgery in Weblate's Create Component feature allows authenticated users with component creation rights to make the Weblate server issue HTTP requests to arbitrary internal endpoints, including cloud metadata services, by supplying a crafted repository URL when the Mercurial VCS backend is selected. The Mercurial backend uniquely surfaces the full HTTP response body to the requesting user, enabling enumeration of internal services; file:// scheme requests additionally allow filesystem layout inference via error-message oracle behavior. No active exploitation has been confirmed (not in CISA KEV), but cloud-hosted deployments face elevated risk from IAM credential disclosure via instance metadata endpoints.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.
Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.
Cross-Site Request Forgery in the WPSubscription WordPress plugin (Convers Lab, versions through 1.9.1) enables remote unauthenticated attackers to perform unauthorized state-changing actions by tricking an authenticated WordPress user into visiting a malicious page or clicking a crafted link. The CVSS 4.3 Medium rating reflects limited integrity impact (I:L) with no confidentiality or availability exposure. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.01% (3rd percentile) and SSVC 'Exploitation: none' both corroborate the low real-world threat level at time of analysis.
Cross-Site Request Forgery in the Recorp Export WP Page to Static HTML/CSS WordPress plugin (versions through 6.0.0) allows unauthenticated remote attackers to force authenticated WordPress administrators into executing unauthorized state-changing plugin actions by tricking them into visiting a malicious web page. The CVSS vector (PR:N/UI:R/I:H) confirms no attacker authentication is required but victim interaction is mandatory, resulting in high integrity impact with no confidentiality or availability loss. No public exploit has been identified at time of analysis, and EPSS at 0.01% (3rd percentile) alongside SSVC exploitation status of 'none' indicate minimal current threat activity.
Cross-Site Request Forgery in WpDevArt's Organization Chart WordPress plugin (all versions through 1.7.5) enables remote unauthenticated attackers to perform unauthorized state-changing actions against the plugin by tricking an authenticated WordPress user into interacting with a crafted request. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that while no authentication or elevated complexity is required on the attacker's side, exploitation is gated by mandatory victim interaction, limiting realistic impact to integrity modifications only. No public exploit code exists and no active exploitation has been identified; EPSS score of 0.01% (3rd percentile) and SSVC exploitation status of 'none' collectively indicate low real-world threat at time of analysis.
Cross-site request forgery in SourceCodester Student Grades Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - such as modifying student grade records - by tricking authenticated users into visiting a malicious page. The CVSS 4.0 score of 2.1 reflects constrained impact: integrity loss is low (VI:L), and there is no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists on GitHub (corroborated by E:P in the CVSS vector), though EPSS at 0.02% (4th percentile) signals negligible observed exploitation activity and no public exploit identified at time of analysis has matured into confirmed active exploitation.
Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.
Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.
Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-origin data leakage in Google Chrome's Autofill component prior to version 149.0.7827.53 enables remote attackers to exfiltrate sensitive data from other origins by enticing a victim to visit a crafted HTML page. Despite a CVSS score of 7.5 reflecting high confidentiality impact, the EPSS score of 0.03% and Chromium's own 'Low' severity rating indicate limited real-world risk, and no public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a user to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network-exploitable, no-privilege-required exploitation with a single user interaction as the only barrier. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation interest despite the low attack complexity.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to read sensitive cross-origin information by directing a victim to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no privilege requirement, limited only by the need for user interaction. EPSS is 0.03% (11th percentile) and no public exploit has been identified at time of analysis; however, Google has issued a confirmed patch in the stable channel release, and the CWE-352/CSRF tag alongside the data-leakage description suggests a novel or hybrid attack class that security teams should monitor for further clarification.
Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.
Cross-origin data leakage in Google Chrome's Paint component (versions prior to 149.0.7827.53) allows a remote unauthenticated attacker to read sensitive cross-origin data by tricking a user into visiting a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's rendering Paint subsystem that fails to properly enforce cross-origin isolation boundaries. EPSS is low at 0.03% and no active exploitation is confirmed in CISA KEV, but the high confidentiality impact (C:H) combined with low attack complexity and no required privileges makes this a meaningful data-exfiltration risk for browser users visiting untrusted web content.
Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive data from cross-origin resources by luring victims to a crafted HTML page. The flaw is rooted in an inappropriate implementation in Chrome's Media subsystem, tagged with CSRF characteristics, allowing an attacker-controlled page to read content from origins the victim is authenticated to. EPSS is low at 0.03% and no public exploit or CISA KEV listing has been identified at time of analysis.
Cross-origin data leakage in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) enables a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. The flaw is classified under CWE-352 (Cross-Site Request Forgery), indicating the Extensions implementation incorrectly handles cross-origin request validation in a way that bypasses same-origin isolation boundaries. No public exploit has been identified at time of analysis, and an EPSS score of 0.03% (11th percentile) signals low current exploitation probability despite the High confidentiality impact rating.
Cross-origin data leakage in Google Chrome's Media component (versions prior to 149.0.7827.53) enables remote attackers to exfiltrate sensitive information from cross-origin pages by luring a victim to a crafted HTML page. The CVSS vector confirms unauthenticated network access with high confidentiality impact (C:H), though user interaction is required (UI:R). No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates low near-term mass exploitation probability, aligning with the Chromium team's 'Medium' severity rating.
Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the `autoEvalCodeOnHTML` key from `$json['msg']`, but `msgToResourceId()` prioritizes the sibling `json` key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Cross-site request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to hijack administrator accounts by tricking an authenticated admin into visiting a malicious page. The `/configUpdate` endpoint accepts state-changing requests without enforcing POST or validating anti-CSRF tokens, and because the session cookie uses SameSite=Lax it remains attached to top-level cross-site navigations. No public exploit identified at time of analysis, but the fix is explicitly called out in the v2.17.1 release notes.
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. No public exploit has been identified and this is not listed in the CISA KEV catalog, but the patch to version 2.2.5 is confirmed via GitHub Security Advisory GHSA-pmpw-2xvh-5xj6.
Cross-Site Request Forgery in the Laiser Tag WordPress plugin (versions up to and including 1.2.5) allows unauthenticated remote attackers to overwrite critical plugin settings - including API keys, tag blacklists, relevance thresholds, batch sizes, and tagging toggles - by tricking a logged-in site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation on the addOptionsPageFields function, as identified by Wordfence and corroborated by source references pointing to Tagging.php and adminOptionPage.php in the plugin's trunk. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world exploitation opportunity relatively constrained by the required administrator interaction.
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Cross-Site Request Forgery in the Remove NoFollow Commenter URL WordPress plugin (all versions ≤ 1.0) allows unauthenticated remote attackers to modify the plugin's comment-display settings by tricking a logged-in site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation in the `gmz_comment_settings_save` function, meaning the plugin accepts state-changing POST requests without verifying they originated from a legitimate admin session. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects the required user interaction as a meaningful limiting factor.
Cross-Site Request Forgery in the Tectite Forms WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by inducing an authenticated administrator to click a crafted link. The vulnerable surface is the admin_init function, which lacks proper nonce validation (CWE-352), permitting forged requests to alter options such as tectite_forms_button. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Cross-site request forgery in the Google Plus One Bottom WordPress plugin (all versions ≤ 0.0.2) enables unauthenticated remote attackers to overwrite plugin settings stored in the WordPress database by tricking an authenticated administrator into clicking a crafted link. The root cause is missing nonce validation in the googlePlusOneAdmin function, exposing the plusone-lang, plusone-callback, and plusone-url options to unauthorized modification. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the social-engineering dependency is the primary limiting factor rather than any technical barrier.
Cross-Site Request Forgery in the BirdSeed WordPress plugin (all versions up to and including 2.2.0) enables unauthenticated remote attackers to overwrite the plugin's API token by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from birdseed_plugin_settings_page() accepting the birdseed_token GET parameter and persisting it via update_option() with no nonce verification, bypassing WordPress's standard CSRF protection entirely. No public exploit has been identified at time of analysis; CVSS rates this Medium (4.3) reflecting narrow integrity impact limited to token replacement.
ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in the DeepAI platform's account management API allows unauthenticated remote attackers to change an authenticated user's registered email address, enabling full account takeover. The POST endpoint at https://api.deepai.org/change_user_email accepts state-changing requests without any CSRF token or origin validation, meaning a browser will automatically include session credentials when the request is triggered from a third-party page. The vulnerability was fixed server-side on 2026-05-20 per the CVE description; no public exploit or CISA KEV listing is associated with this CVE at time of analysis.
Cross-Site Request Forgery in SOPlanning 1.55 and below allows unauthenticated remote attackers to perform unauthorized group management operations - create, modify, or delete groups - by tricking an authenticated user into visiting a malicious webpage. The vulnerability affects the groupe_save endpoints, which accept forged GET or POST requests without validating request origin. No public exploit has been identified at time of analysis, and no KEV listing exists, but the low attack complexity and lack of privilege requirements for the attacker make social engineering viable against any authenticated user session.
Permanent inventory field deletion in Admidio (composer/admidio/admidio <= 5.0.9) is reachable by any authenticated low-privilege user due to a missing authorization gate in the `field_delete` mode of `modules/inventory.php`. Deleting a field cascades to all stored item data (`adm_inventory_item_data`) and field options (`adm_inventory_field_options`) for that field with no in-product undo path - recovery requires a database restore. This is an incomplete fix: commit d37ca6b (2026-04-12) added `isAdministratorInventory()` to the sibling `item_delete` handler but left `field_delete` and at least five other state-changing handlers ungated. A working proof-of-concept is published in the GitHub advisory; no public exploit frameworks or CISA KEV listing have been identified at time of analysis.
Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.
Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.
Insecure direct object reference in Admidio's documents module allows any user with upload rights on a single folder to exfiltrate files from private folders they cannot read. The `move_save` handler in `modules/documents-files.php` validates the actor's upload right against a URL-supplied `folder_uuid` rather than the file's actual parent folder, letting a low-privileged member relocate restricted files into an attacker-controlled folder and download them. No public exploit identified at time of analysis, but a detailed PoC with verified code paths is included in the GHSA-x628-457g-2pw9 advisory.
Cross-folder file rename and description tampering in Admidio's document management module allows any authenticated uploader to modify files in folders they cannot write to. The vulnerability affects Admidio <= 5.0.9 (composer package admidio/admidio): a low-privilege user holding upload rights on a single folder can rename files and overwrite descriptions in any other folder they can view, breaking integrity for all readers of those folders. Publicly available exploit code exists per the GitHub Security Advisory; no KEV listing at time of analysis.
Cross-site request forgery in Admidio's SSO module allows a network-adjacent attacker to disable or silently re-enable any configured SAML or OIDC authentication client by tricking an authenticated administrator into loading a malicious page. The `enable` action in `modules/sso/clients.php` accepts its `enabled` parameter via GET and applies the state change with no CSRF token validation, while every other state-changing branch in the same file enforces `SecurityUtils::validateCsrfToken()`. A working proof-of-concept is included in the vendor's GitHub security advisory (GHSA-xg76-5qj2-2hhv); no KEV listing was identified at time of analysis.
Cross-site request forgery in Admidio's registration module (`modules/registration.php`) allows an unauthenticated attacker to force a password reset on any user account by tricking a registration-administrator into visiting a malicious page. The `send_login` mode uniquely omits the `SecurityUtils::validateCsrfToken()` check present in all four sibling branches, and unconditionally accepts GET requests, meaning a single `<img src=...>` tag is sufficient to trigger the attack - no form submission or JavaScript required. Publicly available exploit code confirmed against HEAD commit c5cde53; no active exploitation in CISA KEV at time of analysis.
Broken access control in Admidio's `modules/categories.php` allows any authenticated module-administrator to permanently delete, reorder, or rename category records belonging to modules they do not administer. An Announcements administrator, for example, can destroy Role categories, Event calendars, or Profile-field categories by supplying a foreign category UUID while passing their own authorized module type as the `type` GET parameter, bypassing a per-record authorization check that is permanently dead code. A detailed working proof-of-concept is publicly available, demonstrated on a fresh Admidio install; no public exploit identified at time of analysis as CISA KEV-confirmed active exploitation, but the CVSS 6.5 (PR:L, I:H) reflects real data-destruction risk in any Admidio deployment that delegates module-admin rights to non-superadmin users.
Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Froxlor 2.3.6 allows an authenticated low-privileged customer with shell delegation enabled to assign an arbitrary login shell (e.g., /bin/bash) to an FTP account, escaping the administrator-defined system.available_shells whitelist. On default Debian-based deployments using nssextrausers, a root-owned cron job propagates the attacker-chosen shell into /var/lib/extrausers/passwd, converting the FTP-only account into an interactive host shell account. Publicly available exploit code exists (POC published in the GHSA advisory); no public exploit identified at time of analysis as being actively used in the wild.
Cross-Site Request Forgery in the Media Library Assistant WordPress plugin versions 3.35 and earlier allows remote attackers to coerce authenticated administrators into executing bulk delete, edit, or purge actions against plugin settings and attachment metadata. The flaw stems from missing nonce checks on bulk action handlers across multiple settings tabs and was reported by Wordfence. There is no public exploit identified at time of analysis and no CISA KEV listing, but the high CVSS of 8.1 reflects significant integrity and availability impact if a logged-in admin is lured to a malicious page.
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persistent JavaScript payload in the administrator-facing audit log via their OAuth display name and a subsequent API token creation. When an admin visits /system/audit, the payload executes in their browser, enabling session cookie theft, CSRF token exfiltration from the la-app-data meta tag, and full impersonation of admin privileges. No public exploit identified at time of analysis, but a vendor patch (2.5.6) and GitHub Security Advisory GHSA-jx4g-ph82-x9mm are available.
Cross-product compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-privileged remote attacker who can lure an authenticated user into interacting with a crafted request to gain high-impact read and write access to ORDS-accessible data and cause partial denial of service. Because the CVSS scope is Changed (S:C), successful exploitation may also impact downstream Oracle components beyond ORDS itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the 7.9 base score combined with scope change warrants prompt patching.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Stripe payment processing can be permanently disabled on any WooCommerce store running the PeachPay plugin through version 1.120.46 by an unauthenticated attacker who successfully social-engineers a logged-in site administrator. The vulnerability stems from missing nonce validation on the peachpay_stripe_handle_admin_actions function, allowing a forged cross-site request to irreversibly wipe all Stripe credentials - publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-exploitable at low complexity requiring only one user-interaction step.
Cross-Site Request Forgery in Easy Digital Downloads WordPress plugin through version 3.6.7 enables payment account hijacking by exploiting the Square gateway's unprotected OAuth callback. The `handle_oauth_redirect()` function, registered on the `admin_init` hook, accepts attacker-supplied Square OAuth tokens via GET parameters with no nonce validation, allowing any unauthenticated attacker to overwrite stored Square payment credentials by tricking a logged-in administrator into clicking a crafted link. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the financial impact potential - silent redirection of all payment processing to an attacker-controlled Square account - meaningfully exceeds what the CVSS score of 4.3 conveys.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.
CSRF middleware bypass in Budibase Worker allows unauthenticated remote attackers to forge state-changing requests against any Worker API endpoint by injecting a public route pattern into the query string. Affected versions prior to 3.35.4 are exposed to privilege escalation actions including sending admin invites, modifying global configuration, and managing users - all without a valid CSRF token. User interaction is required (CVSS UI:R), limiting opportunistic mass exploitation, though proof-of-concept exploit code exists per SSVC assessment. No active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.
Cross-site request forgery in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows unauthenticated remote attackers to trigger unauthorized pull request builds by tricking an authenticated Jenkins user into visiting a crafted page. The vulnerability stems from missing CSRF token validation on the endpoint that triggers pull request builds. With CVSS 4.3 (Medium) and no public exploit or KEV listing identified at time of analysis, this represents a moderate-integrity risk primarily in CI/CD pipeline environments where unauthorized build execution could be leveraged for resource abuse or workflow manipulation.
Cross-Site Request Forgery in Jason2605 AdminPanel 4.0 exposes the delete.php endpoint to forged requests, allowing an unauthenticated remote attacker to perform unauthorized deletion operations by tricking an authenticated administrator into triggering the request. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-reachable with no required attacker privileges, though victim interaction is mandatory. A publicly available proof-of-concept exists per SSVC classification, though no active exploitation (CISA KEV) has been confirmed at time of analysis.
Cross-Site Request Forgery in MetaMagic SEO Plugin for WordPress (all versions ≤ 1.6) enables unauthenticated remote attackers to modify plugin SEO configuration - including enabling or disabling the plugin and toggling meta tag output - by inducing a logged-in administrator to trigger a forged HTTP request. The root cause is missing or incorrect nonce validation in the metamagic_update_options function, as confirmed by Wordfence (security@wordfence.com) and indexed under ENISA EUVD-2026-32117. No public exploit identified at time of analysis; EPSS at 0.01% (2nd percentile) and SSVC exploitation status of 'none' indicate very low real-world exploitation probability at this time.
Cross-Site Request Forgery in WP Promoter (WordPress plugin, all versions ≤1.3) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious JavaScript by tricking an authenticated administrator into clicking a crafted link. The CVSS changed-scope designation (S:C) signals that successfully injected scripts execute in the browsers of subsequent site visitors - extending impact beyond the targeted administrator. No public exploit code has been identified and EPSS at 0.01% (2nd percentile) reflects negligible observed exploitation activity at time of analysis.
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.
Cross-Site Request Forgery in the GoStats for WordPress plugin (all versions ≤ 1.4) allows unauthenticated remote attackers to overwrite plugin configuration options - specifically gostats_siteid and gostats_server - by tricking an authenticated administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation in the gostats_manage() function, bypassing WordPress's standard CSRF defense. No active exploitation has been confirmed: the vulnerability is absent from CISA KEV, carries an EPSS score of 0.01% (2nd percentile), and SSVC rates exploitation status as none - indicating negligible real-world exploitation pressure at time of analysis.
Cross-Site Request Forgery in CDN Linker lite WordPress plugin (versions up to and including 1.3.1) enables unauthenticated remote attackers to hijack a site's CDN URL by tricking a logged-in administrator into triggering a forged request. The vulnerable function, ossdl_off_options(), lacks proper nonce validation, meaning an attacker who successfully engineers admin interaction can repoint all static asset references - JavaScript, CSS, images - to an attacker-controlled domain. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects low current exploitation probability.
Cross-Site Request Forgery in the Search Simple Fields WordPress plugin (versions ≤ 0.2) enables unauthenticated remote attackers to modify plugin configuration by tricking an authenticated site administrator into clicking a crafted link. The root cause is absent or incorrect nonce validation in the `search_simple_fields_options()` function within `functions_admin.php`, allowing forged HTTP requests to alter settings such as post types, custom fields, media fields, and the custom media function name. No active exploitation is confirmed (no CISA KEV listing, EPSS at 0.01%, SSVC exploitation status: none), making this a low-urgency but straightforward finding on affected WordPress installations.
Cross-Site Request Forgery in the auto making JSON-LD WordPress plugin (all versions through 4.5.3) enables unauthenticated remote attackers to overwrite the plugin's license key option and trigger unauthorized installation of pro components by inducing an authenticated administrator to visit a malicious page. The vulnerability originates from absent or incorrect nonce validation in the `amJL_certification` function (settings/certification.php), bypassing WordPress's built-in CSRF protection and cascading into downstream calls to `amJL_is_license_valid()` and `amJL_download_and_install_pro_features()`. No public exploit has been identified at time of analysis; EPSS is 0.01% (2nd percentile) and SSVC confirms no known exploitation.
Cross-Site Request Forgery in WP AutoBuzz (WordPress plugin, all versions ≤1.1.1) enables unauthenticated remote attackers to update plugin settings and inject persistent malicious scripts by tricking an authenticated administrator into clicking a crafted link. The attack carries particular severity because the unsanitized value is written directly via WordPress's update_option at the plugin level, entirely bypassing the DISALLOW_UNFILTERED_HTML hardening constant that would otherwise block unfiltered HTML in post content. No public exploit code and no active exploitation have been identified at time of analysis; EPSS is 0.02% and SSVC classifies exploitation status as none.
Cross-Site Request Forgery in the Two-factor Authentication (formerly IP Vault) WordPress plugin versions up to and including 2.1 enables unauthenticated remote attackers to manipulate the plugin's firewall rules and 2FA configuration - potentially disabling protection entirely - by inducing an authenticated site administrator to click a crafted link. The vulnerable surface is the `ipv_save_changes` function in `admin-settings.php`, which lacks proper nonce validation. No public exploit has been identified at time of analysis, and EPSS at 0.02% (6th percentile) reflects very low automated exploitation probability, though the downstream security impact of silently disabling 2FA or firewall rules is disproportionate to the raw CVSS score of 4.3.
Cross-Site Request Forgery in the Genzel breadcrumbs WordPress plugin (all versions ≤1.2) enables unauthenticated attackers to silently overwrite breadcrumb configuration - including templates, delimiters, home labels, URIs, and routing rules - by tricking a logged-in administrator into loading a forged request. The flaw is rooted in absent nonce validation inside the _options_page function, confirmed at gb.class.php lines 412 and 424 and page-options.php line 16. No public exploit identified at time of analysis; EPSS of 0.01% (2nd percentile) signals negligible mass-exploitation probability.
Cross-Site Request Forgery in the Old Posts Highlighter WordPress plugin (all versions ≤1.0.3) enables unauthenticated network attackers to modify the plugin's configuration settings without authorization, provided they can socially engineer an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect WordPress nonce validation in the OPH_options function within OPH_admin.php, a standard anti-CSRF control in the WordPress plugin ecosystem. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (2nd percentile) reflects minimal observed exploitation pressure.
Cross-Site Request Forgery in the CM Ad Changer WordPress plugin (all versions ≤ 2.0.7) allows permanent, irreversible deletion of advertising campaigns, associated banner records, and uploaded media files without any attacker authentication. The root cause is absent or incorrect nonce validation in the cmac_campaigns_action function, meaning forged HTTP requests bypass WordPress's standard CSRF defenses entirely. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at the 2nd percentile, but the social-engineering bar - tricking one administrator into clicking a link - is low, making this a meaningful integrity risk for ad-dependent WordPress deployments.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
XSS sanitizer bypass in LiquidJS's strip_html filter (all versions through 10.25.7) allows stored or reflected cross-site scripting via newline-embedded HTML tags. The filter's catch-all regex branch uses JavaScript's dot operator without the dotAll flag, causing tags containing literal newline or carriage-return characters (e.g., <img\nsrc=x\nonerror=alert(1)>) to pass through unmodified - while browsers parse such tags as fully valid HTML elements and execute embedded event handlers. Publicly available exploit code exists; no vendor-released patch has been identified at time of analysis.
Cross-site request forgery in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to perform unauthorized state-changing actions by tricking an authenticated user into visiting a malicious page. The CVSS 4.0 vector (VI:L, SC:N/SI:N/SA:N) confirms impact is limited to low-level integrity degradation on the vulnerable system with no confidentiality or availability consequence. A publicly available exploit (PoC HTML page and advisory) has been released to GitHub by researcher NARKHEDE-VAIBHAV; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
CSRF token validation is absent on the admin user activation endpoint (com_users component) in Joomla! CMS 6.0.0 through 6.1.0, allowing a remote attacker to trigger unauthorized user activation actions by luring an authenticated administrator into visiting a crafted page. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires an active, logged-in administrator and deliberate user interaction, constraining real-world risk despite the network-accessible attack vector. No public exploit code exists and CISA has not added this to KEV; EPSS places exploitation probability at 0.02% (5th percentile), consistent with SSVC's 'none' exploitation status.
Server-side request forgery in Weblate's Create Component feature allows authenticated users with component creation rights to make the Weblate server issue HTTP requests to arbitrary internal endpoints, including cloud metadata services, by supplying a crafted repository URL when the Mercurial VCS backend is selected. The Mercurial backend uniquely surfaces the full HTTP response body to the requesting user, enabling enumeration of internal services; file:// scheme requests additionally allow filesystem layout inference via error-message oracle behavior. No active exploitation has been confirmed (not in CISA KEV), but cloud-hosted deployments face elevated risk from IAM credential disclosure via instance metadata endpoints.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.
Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.
Cross-Site Request Forgery in the WPSubscription WordPress plugin (Convers Lab, versions through 1.9.1) enables remote unauthenticated attackers to perform unauthorized state-changing actions by tricking an authenticated WordPress user into visiting a malicious page or clicking a crafted link. The CVSS 4.3 Medium rating reflects limited integrity impact (I:L) with no confidentiality or availability exposure. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.01% (3rd percentile) and SSVC 'Exploitation: none' both corroborate the low real-world threat level at time of analysis.
Cross-Site Request Forgery in the Recorp Export WP Page to Static HTML/CSS WordPress plugin (versions through 6.0.0) allows unauthenticated remote attackers to force authenticated WordPress administrators into executing unauthorized state-changing plugin actions by tricking them into visiting a malicious web page. The CVSS vector (PR:N/UI:R/I:H) confirms no attacker authentication is required but victim interaction is mandatory, resulting in high integrity impact with no confidentiality or availability loss. No public exploit has been identified at time of analysis, and EPSS at 0.01% (3rd percentile) alongside SSVC exploitation status of 'none' indicate minimal current threat activity.
Cross-Site Request Forgery in WpDevArt's Organization Chart WordPress plugin (all versions through 1.7.5) enables remote unauthenticated attackers to perform unauthorized state-changing actions against the plugin by tricking an authenticated WordPress user into interacting with a crafted request. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that while no authentication or elevated complexity is required on the attacker's side, exploitation is gated by mandatory victim interaction, limiting realistic impact to integrity modifications only. No public exploit code exists and no active exploitation has been identified; EPSS score of 0.01% (3rd percentile) and SSVC exploitation status of 'none' collectively indicate low real-world threat at time of analysis.
Cross-site request forgery in SourceCodester Student Grades Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - such as modifying student grade records - by tricking authenticated users into visiting a malicious page. The CVSS 4.0 score of 2.1 reflects constrained impact: integrity loss is low (VI:L), and there is no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists on GitHub (corroborated by E:P in the CVSS vector), though EPSS at 0.02% (4th percentile) signals negligible observed exploitation activity and no public exploit identified at time of analysis has matured into confirmed active exploitation.
Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthorized actions on behalf of authenticated users through specially crafted requests. Public exploit code is available via GitHub Gist, lowering the barrier for exploitation. The vendor was notified but has not responded or released a patch, leaving users dependent on compensating controls. EPSS data unavailable, but the combination of low attack complexity (AC:L), no authentication requirement (PR:N), and available exploit code (E:P) elevates practical exploitation risk above the base CVSS score of 4.3.
Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.
Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.