Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8438)

EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

WordPress CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the Eagle Booking WordPress plugin (versions 1.3.4.3 and earlier) lets an unauthenticated attacker forge state-changing requests that execute with a logged-in victim's privileges when that victim is lured into triggering a malicious page. Reported through Patchstack and tracked as CVE-2025-68052 (CWE-352) with a CVSS 8.8 score, it has no public exploit identified at time of analysis and is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user (UI:R), real-world impact depends on which privileged user is targeted.

CSRF
NVD
EPSS 1% CVSS 6.9
MEDIUM This Month

Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. No active exploitation has been confirmed in the CISA KEV catalog, but the attack surface is broad and the operational impact - forced session invalidation, potential database inconsistency from concurrent invocations, and cache destruction - constitutes a meaningful denial-of-service risk against production instances.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.

CSRF SSRF RCE +1
NVD
EPSS 0% CVSS 4.2
MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CSRF Jenkins Jenkins Zowe Zdevops Plugin
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.

CSRF Jenkins Jenkins Assembla Plugin
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. No public exploit code or confirmed active exploitation has been identified at time of analysis, and SSVC rates exploitation likelihood as none with partial technical impact.

CSRF Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery in Jenkins EC2 Fleet Plugin versions through 4.2.3.539.v8fedff2a_81c3 enables a network attacker to force Jenkins to connect to an attacker-controlled endpoint using AWS credentials stored in Jenkins, effectively exfiltrating those credentials. All Jenkins instances with this plugin installed and AWS credentials configured are at risk. No active exploitation is confirmed (not in CISA KEV), SSVC rates this as non-automatable with partial technical impact, and no public exploit code has been identified at time of analysis.

CSRF Jenkins Jenkins Ec2 Fleet Plugin
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows network-accessible attackers to force a Jenkins instance to initiate connections to attacker-controlled URLs, using credential IDs previously obtained through a separate method. The CVSS vector confirms a low-privileged authenticated attacker posture (PR:L), meaning the victim must hold an active Jenkins session. No active exploitation is confirmed per CISA KEV, and the SSVC framework rates exploitation as currently none with partial technical impact.

CSRF Jenkins Jenkins Gitee Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.

CSRF Jenkins Jenkins Priority Sorter Plugin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in the Jenkins Pipeline: Groovy Plugin (versions up to and including 4331.v9d06ed4658ff) enables authenticated low-privilege users to instantiate arbitrary Java types related to job or system configuration by exploiting the unprotected Pipeline Snippet Generator endpoint. The attacker can reach types outside the normally permitted set of Pipeline steps, potentially influencing configuration objects that should be off-limits at their privilege level. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable delivery.

CSRF Jenkins Jenkins Pipeline +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Bulk SEO Image WordPress plugin (versions ≤ 1.1) enables unauthenticated attackers to bulk-overwrite every image ALT-text attribute across all published posts and pages on a target site by tricking an authenticated administrator into visiting a malicious page. The plugin's core handler BulkSeoImage() dispatches to launchbulk() and BulkSeoImageGo() whenever a POST request includes the 'bulkseoimage' parameter, with no wp_nonce_field() emitted in the form and no check_admin_referer() or wp_verify_nonce() call gating execution - confirmed by direct source code review at the plugin's Trac repository. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Bulk Seo Image
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the MP Customize Login Page WordPress plugin (all versions ≤ 1.0) enables unauthenticated remote attackers to overwrite login page settings - background, logo URL, image dimensions, button colors, and login message - by tricking a logged-in administrator into submitting a crafted request. The root cause is a doubly defective nonce implementation in enter_mpclp_login_options(): the check is logically inverted (blocking valid nonces while passing invalid ones) and the required action parameter is omitted from wp_verify_nonce(), rendering the entire check dead code. Compounding this, the settings handler is registered on the init hook without any capability gate, so no privilege level is required from the attacker. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

WordPress CSRF Mp Customize Login Page
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.

WordPress CSRF Blue Captcha
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.

WordPress CSRF Motordesk
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.

WordPress CSRF Book A Room Event Calendar
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in the Osiris Signature Banner WordPress plugin (all versions ≤ 0.5) enables unauthenticated attackers to update plugin settings and inject stored XSS payloads by tricking an authenticated administrator into triggering a forged request. Missing nonce validation across at least four functions (lines 107, 118, 139, and 189 of osiris-signature-banner.php) means any forged cross-origin form submission executed in an active admin session bypasses all server-side origin checks. No public exploit identified at time of analysis and no KEV listing is present, but the stored XSS secondary impact elevates real-world risk above a typical CSRF-only finding.

WordPress CSRF Osiris Signature Banner
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker +4
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.

Apple Linux CSRF +5
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privileged `/api/system/*` admin API methods because the `system` role resolves to the cron admin identity without requiring credentials, session, or CSRF token. The flaw, rated CVSS 4.0 10.0 with full vulnerable- and subsequent-system impact, is patched in 0.8.0; publicly available exploit code exists per VulnCheck's writeup chaining this bypass to SSTI for remote code execution.

CSRF Information Disclosure Fossbilling
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

CSRF session hijacking in Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 for Perl stems from a predictable default state parameter built from a SHA-1 hash of leaked epoch time and Perl's weak rand(). Remote attackers can guess or precompute valid state values to forge OAuth2 authorization responses and bind a victim's session to an attacker-controlled identity. No public exploit identified at time of analysis, EPSS is low (0.19%, 8th percentile), and a vendor patch is available.

CSRF Mojolicious
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery in Gogs 0.14.1 lets a remote attacker escalate to organization owner by tricking a logged-in owner into loading a crafted URL. The `/teams/:team/action/:action` route accepts GET requests and the global CSRF check only fires on POST, so an `add` action against the Owners team executes without a token. No public exploit is identified at time of analysis beyond the advisory's reproduction steps, and the issue is not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.

Docker CSRF PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.

Open Redirect Redis Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.

WordPress CSRF Motors +1
NVD WPScan VulDB
MEDIUM PATCH This Month

Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.

Microsoft Apple CSRF +3
NVD GitHub
CVSS 6.8
MEDIUM PATCH This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure +2
NVD GitHub
LOW PATCH Monitor

CSRF protection bypass in symfony/ux-live-component allowed cross-origin invocation of any server-side #[LiveAction] method against an authenticated victim's session. The library incorrectly relied on the Accept: application/vnd.live-component+html header as a CSRF guard, but per the Fetch specification §3.2.2 this is a CORS-safelisted header, meaning cross-origin fetch() calls can include it without triggering a preflight OPTIONS request. Applications using SameSite=None cookies or those reachable via a same-origin pivot (e.g., XSS on the same domain) are genuinely exposed; Symfony's default SameSite=Lax policy substantially mitigates the risk for standard deployments. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-site WebSocket hijacking in Tilt (the tilt-dev Kubernetes development tool) versions 0.24.0 through 0.37.3 lets a network-adjacent attacker read the developer's entire HUD view stream when the HUD is bound to a non-loopback address. The intended anti-CSWSH protection fails because the gating CSRF token is served by an unauthenticated endpoint and the WebSocket upgrader also accepts any client that omits an Origin header. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exposure is limited to non-default deployments that bind the listener beyond localhost.

CSRF
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

The cas-auth plugin in Apache APISIX 3.0.0-3.16.0 enables identity substitution via CSRF under its default configuration. An attacker who lures a victim to an attacker-controlled webpage can cause the victim's browser to complete a CAS authentication handshake as the attacker's identity within the APISIX gateway. Subsequent API gateway actions performed by the victim are then recorded and authorized under the attacker's account, creating audit trail corruption and potential authorization abuse. No public exploit code exists and this CVE is not listed in CISA KEV at time of analysis.

CSRF Apache Apache Apisix
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.

CSRF Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.

CSRF WordPress User Admin Simplifier
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site request forgery in the WP EasyPay WordPress plugin (versions through 4.4.0) enables remote attackers to perform unauthorized administrative actions by tricking an authenticated WordPress administrator into visiting a maliciously crafted page. Missing or insufficient nonce verification on one or more plugin endpoints allows the attacker's forged request to be processed as a legitimate action using the victim's active session. No public exploit code and no CISA KEV listing are present at time of analysis.

CSRF Wp Easypay
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Grav CMS (getgrav/grav < 1.7.53) exposes admin bcrypt password hashes, SMTP credentials, and full site configuration to any actor who can obtain a session-static admin-nonce value - via XSS, Referrer header leakage, browser history, or proxy logs - because the backup download endpoint enforces only a single URL-embedded nonce with no form-level CSRF token and no session binding. The default backup profile archives the entire GRAV_ROOT directory including user/accounts/ and user/config/ without exclusions, and the download handler Base64-encodes the absolute filesystem path in the response URL, leaking server internals. A fully functional public PoC is available; no CISA KEV listing exists at time of analysis, but downstream risk includes offline hashcat cracking followed by unauthenticated admin login with no server-side rate limiting.

CSRF Information Disclosure RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Cross-site request forgery in UBB.threads forum software version 7.7.5 (and potentially earlier versions) allows remote attackers to coerce authenticated forum users - including administrators - into executing unintended state-changing actions by visiting an attacker-controlled page. The flaw was reported by CERT-PL after unsuccessful vendor contact, so no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high impact when an authenticated administrator is targeted, though exploitation requires active user interaction.

CSRF Ubb Threads
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.

CSRF PHP Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.

File Upload CSRF PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

CSRF PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).

CSRF PHP Cotonti
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.

CSRF WordPress Optimole Optimize Images Convert Webp Avif Cdn Lazy Load Image Optimization
NVD VulDB
CVSS 9.6
CRITICAL PATCH Act Now

Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.

Python CSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Gitea 1.25.x affects the built-in 3D file viewer (Online3DViewer integration) where a crafted .gltf file with an unsupported extension name in extensionsRequired is rendered into the DOM via innerHTML without sanitization. Any low-privileged user who can push a file to a repository (including a public fork) can compromise the session of any user who later views the file, enabling token theft and full account takeover. Publicly available exploit code exists (a working PoC is included in the GHSA-9cpj-qc93-vw8v advisory); no public exploit identified at time of analysis in CISA KEV.

Gitea CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the `/api/news-items` endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.

CSRF Simplcommerce
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Emergency Password Reset
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Skyline Wp
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in PremiumPress WordPress Dating Theme versions 11.2.0 and earlier allows remote attackers to coerce authenticated victims into performing unintended state-changing actions, with Patchstack documenting an account takeover path. The CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability when a targeted user is tricked into visiting attacker-controlled content. No public exploit identified at time of analysis and the theme has not been listed in CISA KEV.

CSRF WordPress Wordpress Dating Theme
NVD
EPSS 2% CVSS 9.0
CRITICAL POC PATCH Act Now

Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. The flaw stems from the route handler omitting the `checkAuth()` wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. Publicly available exploit code exists (working curl PoCs and a CSRF HTML PoC are included in the GitHub Security Advisory GHSA-xmwj-c75x-6346); no public exploit identified at time of analysis in CISA KEV.

CSRF SSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized access to critical data is achievable in Oracle MySQL Shell's Dump and Load component, affecting versions 8.4.0-8.4.9 and 9.0.0-9.7.0. An unauthenticated network attacker can exploit this across multiple protocols, but requires a victim user to interact - likely by connecting to or loading a dump from a malicious source. The attack yields complete read access to all MySQL Shell-accessible data with no integrity or availability side effects. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Authentication Bypass Oracle Mysql Shell +1
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker who can lure a privileged user into interacting with attacker-controlled content to read or modify all WebCenter Content data and pivot into additional Oracle Fusion Middleware products via a scope change. The CVSS 3.1 base score of 8.0 reflects high confidentiality and integrity impact tempered by high attack complexity and required user interaction, and no public exploit identified at time of analysis.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

Account takeover in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content over HTTP. The scope-changing flaw carries a CVSS 3.1 base score of 9.6 with high confidentiality, integrity, and availability impact, and there is no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37304 and addressed in Oracle's June 2026 Critical Patch Update.

Oracle Oracle Webcenter Content CSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker to read, create, modify, or delete all data accessible to the product after coaxing a victim into a single interaction over HTTP. The scope-changed nature means the impact extends beyond WebCenter Content into other Fusion Middleware components sharing trust with it. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but the 9.3 CVSS base score and 'easily exploitable' wording from Oracle place it in the priority-patch tier for the June 2026 CPU.

Authentication Bypass Oracle Oracle Webcenter Content +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cookie integrity failure in the Hono AWS Lambda adapter (npm/hono < 4.12.25) causes multiple Set-Cookie response headers to be merged into a single comma-separated value, violating RFC 6265 and producing unparseable cookie strings on ALB single-header mode (the default deployment) and VPC Lattice v2. Applications setting more than one cookie per response - including session tokens and CSRF cookies - will find those cookies silently dropped or misparsed by clients, potentially breaking authentication flows or defeating CSRF protections without any visible server-side error. No public exploit is identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the defect is deterministic and triggers automatically on any multi-cookie response in affected deployments.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-Site Request Forgery in WP Migrate Lite (WordPress plugin by WP Engine, versions ≤ 2.7.8) enables unauthenticated remote attackers to force authenticated administrators to invoke unauthorized plugin actions by deceiving them into visiting a malicious page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/A:L) confirms low-complexity network exploitation with changed scope, meaning triggered actions can produce availability impact beyond the plugin itself - consistent with migration or database operations affecting the broader WordPress installation. No public exploit code and no CISA KEV listing have been identified at time of analysis.

CSRF Wp Migrate Lite
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Incomplete CSRF protection in React Router v7 Framework Mode leaves PUT, PATCH, and DELETE document requests unguarded while POST requests are correctly validated. Applications running react-router 7.12.0-7.15.0 or @remix-run/server-runtime 2.17.3-2.17.4 in Framework Mode are the exclusive attack surface - Declarative and Data Mode deployments are unaffected. Real-world exploitability is substantially constrained by modern browser defaults (SameSite=Lax cookies, CORS preflight), meaning successful exploitation requires a browser or cookie configuration that bypasses these ambient controls; no public exploit code exists and this vulnerability is not in CISA KEV.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{team}/join), exploiting the fact that text/plain Content-Type does not trigger a CORS preflight check. In CTF deployments this allows score inflation by forcing victims to solve Juice Shop challenges credited to the attacker's team; any sensitive data entered by the victim is also captured in the attacker's Juice Shop instance. No public exploit identified at time of analysis, and a vendor-released patch is available in version 10.0.1.

CSRF Kubernetes Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Cp Polls
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-site request forgery in MISP (Malware Information Sharing Platform) stems from the Security.check_sec_fetch_site_header control shipping disabled by default, leaving state-changing automation endpoints unprotected against browser-issued cross-origin requests. A remote attacker hosting a malicious page can coerce an authenticated MISP user's browser into submitting forged POST/PUT/AJAX requests that execute with the victim's privileges, enabling unauthorized data or configuration changes. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Account takeover in phpBB via OAuth state-verification flaw enables remote attackers to link a victim's forum account to an attacker-controlled identity provider account. Successful exploitation requires the victim to click an attacker-crafted link while authenticated, after which the attacker can authenticate as the victim through the linked external provider. No public exploit identified at time of analysis, but a vendor community advisory has been published.

CSRF Phpbb
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery.16.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpevently
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF Yoast Duplicate Post
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site request forgery in the Easy Twitter Feeds WordPress plugin (versions before 1.2.13) allows unauthenticated remote attackers to trigger unauthorized post duplication by tricking an authenticated site user into visiting a crafted URL. The duplicate_post action handler fails to verify WordPress nonces, meaning any authenticated user's browser session can be silently weaponized to clone posts of any post type without their knowledge. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor-released fix is version 1.2.13.

CSRF Easy Twitter Feeds
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.

XSS Python CSRF
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Session and OIDC state cookies in nebula-mesh up to v0.3.1 are transmitted without the Secure attribute, allowing a network-adjacent attacker who can observe a single plaintext HTTP request to recover the session cookie and fully impersonate the operator for up to 24 hours. The OIDC state cookie carries an additional CSRF risk during its 10-minute validity window, enabling an attacker to hijack the OIDC callback flow. A working reproducer is included in the GHSA advisory; no public exploit framework distribution is known and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-site request forgery in the Nezha monitoring dashboard (versions >= 1.0.0, < 2.0.14) allows remote attackers to force a logged-in user's browser to trigger any of the victim's existing cron tasks via a GET navigation to /api/v1/cron/:id/manual, causing the stored command to be dispatched to the victim's online agents. The flaw stems from a state-changing GET endpoint protected only by a SameSite=Lax JWT cookie with no CSRF token, Origin/Referer check, or Fetch Metadata guard. No public exploit identified at time of analysis beyond the reporter's safe Go-test proof; the issue is not in CISA KEV.

CSRF Google
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cross-site request forgery in QNAP Notification Center allows remote unauthenticated attackers to forge state-changing requests on behalf of authenticated NAS users, potentially resulting in privilege escalation or session hijacking within the Notification Center context. Affected versions are all Notification Center 1.10.0 builds prior to 1.10.0.3291, confirmed by QNAP advisory QSA-26-13 and EUVD-2025-210096. Exploitation requires active victim interaction (CVSS 4.0 UI:A), integrity impact is rated low (VI:L), and no public exploit code or active exploitation has been identified at time of analysis.

CSRF Notification Center
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in OpenEMR before 8.0.0.1 lets an authenticated patient portal user inject HTML/JavaScript into demographic fields via the PUT api/patient/:num endpoint, which fires later in a clinician's authenticated session when the prescription CSS/HTML multi-print feature renders the patient name and address without output encoding. Because the payload executes inside the main OpenEMR UI under the clinician's session, the attacker crosses the patient-to-clinician trust boundary and can steal CSRF tokens, exfiltrate session data, and perform privileged actions as the clinician. SSVC currently rates exploitation as POC, no public exploit identified at time of analysis, and EPSS is 0.03% (9th percentile), but the cross-tenant trust crossing in a healthcare app makes the issue material for any internet-exposed deployment.

CSRF XSS Openemr
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().

PHP RCE CSRF +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in FastPicker (versions up to and including 1.0.2), a WooCommerce order management plugin for WordPress, allows unauthenticated remote attackers to modify the plugin's administrative settings by tricking a logged-in site administrator into clicking a crafted link. Specifically, the `settingsPage` function in `Admin.php` lacks proper nonce validation, enabling forged POST requests that can toggle the plugin's webhook integration and redirect FastPicker and KDZ API endpoint URLs to attacker-controlled infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery combined with stored XSS in the WP Emoticon Rating WordPress plugin (all versions ≤ 1.0.1) allows unauthenticated remote attackers to persistently inject malicious scripts into site settings by tricking a logged-in administrator into clicking a crafted link. The CVSS Scope:Changed rating reflects that the injected payload executes beyond the admin context, potentially affecting all site visitors. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the AJAX Report Comments WordPress plugin (≤2.0.4) allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into triggering a forged request. The rc_options_page function in report-comments.php performs missing or incorrect nonce validation, enabling an attacker to overwrite notification email addresses, comment thresholds, link text, and message bodies without any privileges of their own. No public exploit code or CISA KEV listing has been identified at time of analysis, but the notification email hijack vector makes this a meaningful integrity risk on affected sites.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery combined with reflected XSS in the WpMobi WordPress plugin (all versions through 0.0.3) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by forging a settings-save request. The handleSaveGeneralSettings function performs no nonce validation, permitting any remote party to submit crafted plugin settings on behalf of an authenticated admin. A particularly notable aspect is that the injected script in the app_name parameter fires even when server-side validation rejects the value, because the view layer re-renders the form with the unsanitized in-memory value rather than a sanitized fallback - meaning the XSS trigger does not depend on successful data persistence. No public exploit code or CISA KEV listing has been identified at time of analysis.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

WP-Ultimate-Map plugin for WordPress (versions up to and including 1.1) is vulnerable to a chained CSRF-to-stored-XSS attack that allows unauthenticated network attackers to hijack plugin settings and inject persistent JavaScript into the WordPress admin panel. The missing nonce check on `process_init()` - hooked to `admin_init` - means any forged POST with a `save-setting` parameter will overwrite plugin options without any authentication or state validation. The injected `zoom-level` value is then stored unsanitized and reflected verbatim into an HTML attribute and inline JavaScript block on the settings page, completing the XSS chain. No public exploit identified at time of analysis.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.

CSRF WordPress PHP
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Cross-site request forgery in SemCms 5.0 allows a remote attacker to perform unauthorized actions against the admin user management endpoint at /admin/semcms_user.php by tricking an authenticated administrator into triggering a crafted POST request. The affected product is a PHP-based CMS and the vulnerability stems from a missing or bypassable CSRF token on a privileged administrative function. Publicly available exploit code exists per SSVC data, though the vulnerability has not been added to the CISA KEV catalog and is not confirmed as actively exploited in the wild.

CSRF PHP N A
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.

CSRF XSS Privilege Escalation
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.0) enables unauthenticated remote attackers to manipulate invoice status records - including fraudulently marking unpaid invoices as paid - by tricking an authenticated site administrator into triggering a forged HTTP request. The flaw originates in the change_status function of the invoices controller, which lacks proper WordPress nonce validation. No public exploit code or CISA KEV listing exists at time of analysis; however, the financial integrity risk to booking-oriented WordPress sites is disproportionately high relative to the moderate CVSS score of 4.3, which is suppressed by the required user interaction (UI:R) rather than by low business impact.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Frontend User Notes WordPress plugin (all versions through 2.1.1) allows unauthenticated remote attackers to trick an authenticated victim into overwriting their own note content. The funp_ajax_modify_notes function lacks proper nonce validation, enabling forged requests to invoke wp_update_post() on behalf of the logged-in victim. No public exploit has been identified at time of analysis, and the attack's impact is bounded by ownership enforcement: only the tricked victim's own notes can be altered, not those of arbitrary third-party users.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Android (prior to 149.0.7827.53) enables remote unauthenticated attackers to exfiltrate data from other origins by directing a victim to a crafted HTML page that exploits an inappropriate UI implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects low-complexity network exploitation requiring only a single user interaction, with high confidentiality impact and no integrity or availability loss. No public exploit code and no active exploitation have been identified; an EPSS of 0.03% at the 11th percentile aligns with Chromium's own internal Low severity rating, placing this firmly in the patch-and-move-on category.

CSRF Google Chrome
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-origin data leakage in Google Chrome's Autofill component prior to version 149.0.7827.53 enables remote attackers to exfiltrate sensitive data from other origins by enticing a victim to visit a crafted HTML page. Despite a CVSS score of 7.5 reflecting high confidentiality impact, the EPSS score of 0.03% and Chromium's own 'Low' severity rating indicate limited real-world risk, and no public exploit identified at time of analysis.

CSRF Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows a remote unauthenticated attacker to read sensitive cross-origin data by luring a user to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network-exploitable, no-privilege-required exploitation with a single user interaction as the only barrier. No public exploit has been identified and EPSS sits at 0.03% (11th percentile), indicating low current exploitation interest despite the low attack complexity.

CSRF Google Chrome
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 allows remote unauthenticated attackers to read sensitive cross-origin information by directing a victim to a crafted HTML page that exploits an inappropriate CSS implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms network delivery with no privilege requirement, limited only by the need for user interaction. EPSS is 0.03% (11th percentile) and no public exploit has been identified at time of analysis; however, Google has issued a confirmed patch in the stable channel release, and the CWE-352/CSRF tag alongside the data-leakage description suggests a novel or hybrid attack class that security teams should monitor for further clarification.

CSRF Google Chrome
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.

CSRF Google Chrome
NVD VulDB
Prev Page 2 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8438

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy