Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8446)

EPSS 0% CVSS 7.1
HIGH This Week

CSRF vulnerability in CallPhone'r WordPress plugin through version 1.1.1 enables attackers to trick authenticated administrators into executing malicious requests that inject persistent XSS payloads into the application. This chained attack bypasses CSRF protections, allowing stored cross-site scripting that executes in victim browsers. The vulnerability requires user interaction (tricking an admin to click a malicious link) but needs no authentication from the attacker's perspective. EPSS probability of 0.08% (24th percentile) indicates low observed exploitation in the wild, with no CISA KEV listing or public POC identified at time of analysis.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Yummly Yummly Rich Recipes allows Cross Site Request Forgery.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in boroV Cackle allows Cross Site Request Forgery.33. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in wpsolutions SoundCloud Ultimate allows Cross Site Request Forgery.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Info Boxes Shortcode and Widget allows Cross Site Request Forgery.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ChrisHurst Simple Optimizer allows Cross Site Request Forgery.2.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in muro External image replace allows Cross Site Request Forgery.0.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in captcha.soft Image Captcha allows Cross Site Request Forgery.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in GBS Developer WP Ride Booking allows Cross Site Request Forgery.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Sébastien Dumont Auto Load Next Post allows Cross Site Request Forgery.5.14. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in wpshopee Awesome Logos allows SQL Injection.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in lucksy Typekit plugin for WordPress allows Cross Site Request Forgery.2.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in Contact Form 7 Material Design plugin versions up to 1.0.0 allows attackers to trick authenticated administrators into executing malicious requests that inject persistent JavaScript, achieving Stored XSS. CVSS 7.1 reflects the changed scope (S:C) and multi-stage attack requiring user interaction. EPSS score of 0.08% (24th percentile) indicates low probability of mass exploitation, with no evidence of active exploitation (not in CISA KEV) or public POC at time of analysis. This CSRF-to-XSS chain targets WordPress site administrators.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in giangmd93 GP Back To Top allows Cross Site Request Forgery.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Upload +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Upload
NVD
EPSS 0% CVSS 7.1
HIGH POC PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Mlflow AI / ML
NVD GitHub
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Flatpress
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability in polyaxon/polyaxon v2.4.0 allows attackers to perform unauthorized actions in the context of the victim's browser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Large Language And Vision Assistant
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF File Upload Denial Of Service +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Qanything
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE CSRF +1
NVD
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE CSRF Denial Of Service +1
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Open Webui
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the latest commit (56b782bcefd2e59b19cd7ba7878b95f54884f502) of the vanna-ai/vanna repository. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Db Gpt
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Gpt Academic
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Week

A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Comfyui
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Custom Twitter Feeds - A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability classified as problematic was found in 猫宁i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce allows Cross Site Request Forgery.0.43. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Tripetto +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS +2
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Cross Site Request Forgery vulnerability in Open Panel OpenAdmin v.0.3.4 allows a remote attacker to escalate privileges via the Change Root Password function. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Openadmin
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP CSRF +2
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF XSS +2
NVD WPScan
EPSS 0%
This Week

Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name="referrer" content="never">`, effecti...

CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ohtan Spam Byebye allows Cross Site Request Forgery. This issue affects Spam Byebye: from n/a through 2.2.4. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in arkapravamajumder Back To Top allows Cross Site Request Forgery. This issue affects Back To Top: from n/a through 2.0. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CSRF vulnerability in the MaxA/B WordPress plugin (versions ≤2.2.2) chains into stored cross-site scripting, allowing remote attackers to inject malicious scripts into the WordPress admin interface via social engineering. The vulnerability requires user interaction (administrator must be tricked into visiting an attacker-controlled page while authenticated) but requires no authentication by the attacker. EPSS probability is low (0.05%, 14th percentile) indicating minimal observed exploitation attempts. No CISA KEV listing or public POC identified at time of analysis, suggesting limited real-world targeting.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS via CSRF in Insert Code WordPress plugin versions through 2.4 allows unauthenticated remote attackers to inject malicious scripts by tricking authenticated administrators into executing forged requests. The CSRF weakness (CWE-352) enables attackers to bypass normal access controls and store XSS payloads in the plugin's code insertion functionality. With CVSS 7.1 (High) and changed scope (S:C), successful exploitation impacts confidentiality, integrity, and availability across security boundaries. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, and no public exploit code or CISA KEV listing identified at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting (XSS) in DevriX Hashtags WordPress plugin 0.3.2 and earlier allows remote attackers to inject malicious scripts via CSRF-chained attack. Unauthenticated attackers can trick authenticated administrators into executing malicious requests that persist XSS payloads in the application. EPSS score of 0.05% (14th percentile) indicates low automated exploitation likelihood despite network attack vector. No active exploitation confirmed via CISA KEV, though publicly available exploit code exists. Scope change in CVSS vector indicates malicious script executes in victim's browser context, enabling session hijacking or privilege escalation.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in A. Chappard Display Template Name allows Cross Site Request Forgery. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting (XSS) in WordPress plugin WATI Chat and Notification versions through 1.1.2 can be triggered via CSRF attack, enabling attackers to inject persistent malicious scripts into the WordPress site. The vulnerability requires user interaction from an authenticated administrator but no direct authentication by the attacker, allowing scope change (S:C) that affects resources beyond the vulnerable component. EPSS score of 0.05% (14th percentile) indicates low current exploitation probability. Reported by Patchstack security research team, no CISA KEV listing or public POC identified at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting (stored XSS) via CSRF in No Disposable Email WordPress plugin through version 2.5.1 allows remote attackers to inject malicious scripts into the site's database. An attacker tricks an authenticated administrator into submitting a crafted request, which bypasses CSRF protections and stores XSS payload that executes when other users access affected pages. EPSS score of 0.05% (14th percentile) indicates low probability of widespread exploitation, with no active exploitation (not in CISA KEV) or public POC identified at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CSRF vulnerability in the Go To Top WordPress plugin through version 0.0.8 enables attackers to store malicious JavaScript via cross-site request forgery. An authenticated administrator or privileged user can be tricked into executing a forged request that injects persistent XSS payloads into the plugin's settings or content areas. The CVSS score of 7.1 reflects changed scope and multi-step exploitation requirements (CSRF leading to stored XSS). EPSS score of 0.05% (14th percentile) indicates very low probability of mass exploitation, consistent with a targeted attack against WordPress administrators requiring social engineering.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Ali Muni WP Add Active Class To Menu Item allows Cross Site Request Forgery. This issue affects WP Add Active Class To Menu Item: from n/a through 1.0. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Muntasir Rahman Custom Dashboard Page allows Cross Site Request Forgery. This issue affects Custom Dashboard Page: from n/a through 1.0. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ravinder Khurana WP Hide Admin Bar allows Cross Site Request Forgery. This issue affects WP Hide Admin Bar: from n/a through 2.0. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in edwardw WP No-Bot Question allows Cross Site Request Forgery. This issue affects WP No-Bot Question: from n/a through 0.1.7. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS via CSRF in Members page only for logged in users WordPress plugin (versions ≤1.4.2) allows remote attackers to inject malicious scripts that execute when administrators view plugin settings. The attack chain requires tricking an authenticated admin into clicking a malicious link or visiting an attacker-controlled page, which submits a forged request storing XSS payloads in the database. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis. This is a CSRF-to-stored-XSS chain requiring social engineering against WordPress administrators.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in TabGarb Pro WordPress plugin through version 2.6 enables stored cross-site scripting (XSS) attacks. Unauthenticated remote attackers can craft malicious requests that, when executed by authenticated administrators, inject persistent malicious scripts into the plugin's data. EPSS exploitation probability is low at 0.05% (14th percentile), and no public exploit identified at time of analysis, though the attack chain is well-understood for CSRF-to-XSS vulnerabilities in WordPress plugins.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CSRF in Domain Theme WordPress plugin (versions ≤1.3) allows unauthenticated attackers to inject persistent malicious scripts via tricked administrator actions. The chained vulnerability combines CSRF token absence with inadequate input sanitization, enabling stored XSS payload injection when an admin processes a forged request. EPSS score of 0.05% (14th percentile) indicates low widespread exploitation likelihood, with no active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS via CSRF vulnerability in the List of Posts from each Category WordPress plugin (versions up to 2.0) allows remote attackers to inject persistent malicious scripts into the site by tricking an authenticated administrator into submitting a crafted request. The CSRF weakness (CWE-352) enables the XSS payload delivery without direct admin interaction with malicious content. Publicly disclosed via Patchstack with low EPSS score (0.05%, 14th percentile), indicating minimal observed exploitation attempts despite network-based attack vector requiring only user interaction.

WordPress XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site scripting (XSS) in FTP Sync WordPress plugin versions ≤1.1.6 allows remote attackers to inject malicious scripts into the application via cross-site request forgery (CSRF). Exploitation requires user interaction (victim must be tricked into clicking a malicious link while authenticated), but no authentication is needed by the attacker to initiate the CSRF vector. The changed scope (S:C) indicates potential impact beyond the vulnerable component. No public exploit identified at time of analysis. EPSS score of 0.05% (14th percentile) suggests low probability of mass exploitation.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored XSS can be injected into price-calc WordPress plugin (versions up to 0.6.3) via CSRF attack vector, allowing attackers to execute malicious scripts in administrator browsers when authenticated users are tricked into visiting attacker-controlled pages. This chained vulnerability (CSRF enabling XSS) affects sites with authenticated administrative users and can lead to account compromise, privilege escalation, or malicious site modifications. EPSS score of 0.05% (14th percentile) indicates low probability of widespread exploitation, though the attack requires only user interaction (CVSS UI:R) rather than authentication from the attacker perspective.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Fastmover Plugins Last Updated Column allows Cross Site Request Forgery. This issue affects Plugins Last Updated Column: from n/a through 0.1.3. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram allows Cross Site Request Forgery. This issue affects REST API TO MiniProgram: from n/a through 4.7.1. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Rajesh Kumar WP Bulk Post Duplicator allows Cross Site Request Forgery. This issue affects WP Bulk Post Duplicator: from n/a through 1.2. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in WP Compare Tables plugin versions up to 1.0.5 enables attackers to chain CSRF with Stored XSS, allowing persistent malicious script injection via forged administrative requests. Reported by Patchstack, this vulnerability carries a 7.1 CVSS score with changed scope, indicating potential lateral impact beyond the vulnerable plugin. EPSS score of 0.05% (14th percentile) suggests low current exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Primary risk is targeted attacks against WordPress administrators through social engineering.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in mg12 Mobile Themes allows Cross Site Request Forgery. This issue affects Mobile Themes: from n/a through 1.1.1. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Skrill_Team Skrill Official allows Cross Site Request Forgery. This issue affects Skrill Official: from n/a through 1.0.65. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe allows Cross Site Request Forgery. This issue affects ZipList Recipe: from n/a through 3.1. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in stesvis Frontpage category filter allows Cross Site Request Forgery. This issue affects Frontpage category filter: from n/a through 1.0.2. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in smerriman Login Logger allows Cross Site Request Forgery. This issue affects Login Logger: from n/a through 1.2.1. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Planet Studio Builder for Contact Form 7 by Webconstruct allows Cross Site Request Forgery. This issue affects Builder for Contact Form 7 by Webconstruct: from n/a through 1.2.2. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Carlos Minatti Delete Original Image allows Cross Site Request Forgery. This issue affects Delete Original Image: from n/a through 0.4. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Comment Date and Gravatar remover allows Cross Site Request Forgery. This issue affects Comment Date and Gravatar remover: from n/a through 1.0. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

CSRF vulnerability in WP jQuery Persian Datepicker plugin for WordPress enables stored cross-site scripting attacks through versions up to 0.1.0. Attackers can trick authenticated administrators into submitting malicious payloads that persist in the application, enabling later exploitation against other users. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit code exists at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in the Google News Editors Picks Feed Generator WordPress plugin (versions ≤2.1) enables attackers to chain exploitation into Stored XSS, allowing malicious scripts to persist in the site database and execute in administrator or user browsers. The attack requires tricking an authenticated administrator into visiting a malicious site or clicking a crafted link (UI:R). EPSS score is very low (0.05%, 14th percentile), indicating minimal real-world exploitation observed. No CISA KEV listing and no public POC identified at time of analysis.

XSS CSRF Google
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in CodeVibrant Maintenance Notice allows Cross Site Request Forgery. This issue affects Maintenance Notice: from n/a through 1.0.5. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting (XSS) in Rankchecker.io Integration WordPress plugin versions up to 1.0.9 can be triggered via cross-site request forgery (CSRF), enabling attackers to inject malicious scripts into the application that execute in victims' browsers. While the CVSS base score is 7.1 (High), real-world risk is tempered by the required user interaction (UI:R) and low EPSS score (0.05%, 14th percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in dangrossman W3Counter Free Real-Time Web Stats allows Cross Site Request Forgery. This issue affects W3Counter Free Real-Time Web Stats: from n/a through 4.1. [CVSS 4.3 MEDIUM]

CSRF
NVD
EPSS 0% CVSS 8.0
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. [CVSS 8.0 HIGH]

CSRF RCE
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request. [CVSS 6.8 MEDIUM]

CSRF RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, or (2) when username/password or Active Directory authentication is in use and a user visits a compromised/malicious site under the same effective top-level domain as the Seq server. Exploitation of the vulnerability allows the attacker to conduct impersonation attacks and perf...

CSRF
NVD GitHub
EPSS 0% CVSS 8.0
HIGH POC This Week

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/upd/status. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request. [CVSS 8.0 HIGH]

CSRF RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

tianti v2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /user/ajax/save. This vulnerability allows attackers to execute arbitrary operations via a crafted GET or POST request. [CVSS 8.8 HIGH]

CSRF RCE
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Stored Cross-Site Scripting in WPBookit WordPress plugin through version 1.0.1 can be achieved via CSRF attack vector. Attackers trick authenticated administrators into executing malicious requests that inject persistent JavaScript into the booking management interface, potentially leading to session hijacking, privilege escalation, or further site compromise. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, though the CVSS:3.1 score of 7.1 reflects the Changed Scope and combined impact of both CSRF and XSS vulnerabilities affecting confidentiality, integrity, and availability.

XSS CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF XSS +2
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Url Shortener Conversion Tracking Ab Testing Woocommerce +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress RCE CSRF +1
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Email Keep WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Email Keep
NVD WPScan
Prev Page 24 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8446

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy