Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8446)

EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Bhaskar Dhote Post Carousel Slider allows Stored XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Pedro Marcelo Issuu Panel allows Stored XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Gitlab
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

An improper input validation the CSRF filter results in unsanitized user input written to the application logs. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 12% CVSS 8.8
HIGH PATCH This Month

The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 11.6%.

RCE CSRF WordPress +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Month

The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Wp Image Uploader
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Wonder FontAwesome plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Wonder Fontawesome
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Cp Contact Form
NVD
EPSS 0% CVSS 4.3
MEDIUM POC Monitor

The Bulk Me Now!. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Bulk Me Now
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC This Week

Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Teedy
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The MailUp Auto Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Mailup Auto Subscription
NVD
EPSS 0% CVSS 8.1
HIGH This Month

Cross Site Request Forgery (CSRF) vulnerability in LifestyleStore v1.0 allows a remote attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to account. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Br 6476Ac Firmware
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Go Maps (formerly WP Google Maps) WP Go Maps.0.40. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd allows Cross Site Request Forgery.18.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in slaFFik BuddyPress Groups Extras allows Cross Site Request Forgery.6.10. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.7.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in MetaSlider Responsive Slider by MetaSlider allows Cross Site Request Forgery.92.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH POC This Month

The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Week

The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Altra Side Menu
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC Monitor

The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Customer Area
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC Monitor

The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Customer Area
NVD WPScan
EPSS 2% CVSS 8.8
HIGH PATCH This Month

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

RCE CSRF WordPress +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Linear plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in mgplugin Roi Calculator allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in FluentSMTP & WPManageNinja Team FluentSMTP allows Cross Site Request Forgery.2.80. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in NowButtons.com Call Now Button allows Cross Site Request Forgery.4.13. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Side Menu Lite allows Cross Site Request Forgery.3.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Sticky Buttons allows Cross Site Request Forgery.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Modal Window allows Cross Site Request Forgery.1.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Herd Effects allows Cross Site Request Forgery.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery.0.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Bubble Menu - circle floating menu allows Cross Site Request Forgery.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator - easily Button Builder allows Cross Site Request Forgery.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Radius Blocks allows Cross Site Request Forgery.1.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Popup Box allows Cross Site Request Forgery.2.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in G5Theme Essential Real Estate allows Cross Site Request Forgery.1.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Attire Attire Blocks allows Cross Site Request Forgery.9.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in datafeedr.com WooCommerce Cloak Affiliate Links allows Cross Site Request Forgery.0.35. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Laymance Technologies LLC MachForm Shortcode allows Stored XSS.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Security Really Simple SSL allows Cross Site Request Forgery.1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Job Board Manager allows Cross Site Request Forgery.1.59. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search allows Cross Site Request Forgery.78.258. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates allows Cross Site Request Forgery.4.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Optimal Access Inc. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ReviewsTap ReviewsTap allows Stored XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in SubscriptionDNA.com Subscription DNA allows Stored XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in RSTheme Ultimate Coming Soon & Maintenance allows Cross Site Request Forgery.0.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in RSTheme Ultimate Coming Soon & Maintenance allows Cross Site Request Forgery.0.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Automate Hub
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Media Library Mime Type allows Stored XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

The Variation Swatches for WooCommerce plugin, in all versions starting at 1.0.8 up until 1.3.2, contains a vulnerability due to improper nonce verification in its settings reset functionality. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Authentication Bypass CSRF WordPress +1
NVD
EPSS 0% CVSS 7.3
HIGH POC This Month

A Cross Site Request Forgery (CSRF) vulnerability in Code Astro Internet banking system 2.0.0 allows remote attackers to execute arbitrary JavaScript on the admin page (pages_account), potentially. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Internet Banking System
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM Monitor

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft CSRF Jenkins +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Month

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Bitbucket Server Integration
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFarmer Ultimate Subscribe allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in PQINA Snippy allows Reflected XSS.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Vulnerability in the Oracle Financial Services Behavior Detection Platform product of Oracle Financial Services Applications (component: Web UI). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle Financial Services Behavior Detection Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle Primavera P6 Enterprise Project Portfolio Management
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Oracle Primavera P6 Enterprise Project Portfolio Management
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Oracle Jd Edwards Enterpriseone Tools
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Region Mapping). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle E Business Suite
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in anyroad.com AnyRoad allows Cross Site Request Forgery.3.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) vulnerability has been found in SpagoBI v3.5.1 in the user administration panel. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Spagobi
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Codechecker
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in PPO Việt Nam (ppo.vn) PPO Call To Actions allows Cross Site Request Forgery.1.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Wp Bibtex
NVD
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Week

PwnDoc is a penetration test report generator. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

CSRF Pwndoc
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

The Webcamconsult plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

The ShipWorks Connector for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF WordPress Wp Abstracts
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

All versions of ETIC Telecom Remote Access Server (RAS) prior to 4.9.19 are vulnerable to cross-site request forgery (CSRF). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Denial Of Service Remote Access Server Firmware
NVD
EPSS 3% CVSS 10.0
CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification allows Cross Site Request Forgery.2.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Oliver Schaal GravatarLocalCache allows Cross Site Request Forgery.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Genkisan Genki Announcement allows Cross Site Request Forgery.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Ivo Brett - ApplyMetrics Apply with LinkedIn buttons allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Dan Cameron Add RSS allows Stored XSS.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in anmari amr personalise allows Cross Site Request Forgery.10. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Tim Ridgway Better Protected Pages allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in PayForm PayForm allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder allows Cross Site Request Forgery.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Robert Nicholson Copyright Safeguard Footer Notice allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Shibu Lijack a.k.a CyberJack CJ Custom Content allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Katz Web Services, Inc. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
Prev Page 27 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8446

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy