Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8447)

EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Stored XSS.9.9.5.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ahmeti Ahmeti Wp Timeline ahmeti-wp-timeline allows Stored XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Change Howdy cj-change-howdy allows Cross Site Request Forgery.3.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in julian.weinert cSlider cslider allows Cross Site Request Forgery.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Nikel Cookie Scanner cookie-scanner allows Cross Site Request Forgery.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in GabbyKhrmon Wsify Widget wsify-widget allows Stored XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.4.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in sumitsurai Featured Posts with Multiple Custom Groups (FPMCG) featured-posts-with-multiple-custom-groups-fpmcg allows Cross Site Request Forgery.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Razon Komar Pal Linked Variation for WooCommerce linked-variation-for-woocommerce allows Cross Site Request Forgery.0.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in tuxlog wp-Monalisa wp-monalisa.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Forminator Forms
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Forminator Forms
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the addPro parameter of the component doAdminAction.php which allows a remote attacker to execute arbitrary code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco CSRF Ata 191 Firmware +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Manager
NVD
EPSS 43% 4.4 CVSS 8.0
HIGH POC PATCH THREAT Act Now

Arbitrary file deletion in the WP Fastest Cache WordPress plugin (versions up to and including 0.9.0.2) allows authenticated low-privileged users to remove arbitrary files from the underlying server due to missing capability checks and inadequate path validation. Publicly available exploit code exists, and the EPSS score of 43.15% (97th percentile) indicates a notably elevated exploitation probability relative to the broader CVE population. The flaw is tagged as CSRF (CWE-352), meaning the deletion action can also be triggered via a forged request against an authenticated victim.

WordPress CSRF Wp Fastest Cache
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The WP ULike - The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Ulike
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM CSRF Watson Studio Local
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Oracle Peoplesoft Enterprise People Tools
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

A Cross-Site Request Forgery (CSRF) in Codeigniter 3.1.13 allows attackers to arbitrarily change the Administrator password and escalate privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Codeigniter
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

CSRF Hono
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to Cross Site Request Forgery (CSRF) via /edit-profile.php. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF User Registration Login And User Management System
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power". Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Splunk Splunk Cloud Platform
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache CSRF +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Checkmk
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Denial Of Service Lollms Web Ui
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Stackable - Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress CSRF +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The ImagePress - Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Imagepress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Newsletter Smtp Email Marketing And Subscribe
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

ampache is a web based audio/video streaming application and file manager. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Ampache
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in nicejob NiceJob nicejob allows Stored XSS.6.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in TinyPNG TinyPNG tiny-compress-images allows Cross Site Request Forgery.4.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.6.X before 3.6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Cargo
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-Site Scripting (XSS).0. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS CSRF Timeprovider 4100 Firmware
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Ultimate Member
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A security vulnerability in HPE IceWall Agent products could be exploited remotely to cause a Cross-Site Request Forgery (CSRF) in the login flow. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Gs 4210 24P2S Firmware Gs 4210 24Pl4C Firmware
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

CSRF Adam 5630 Firmware
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in bg5sbk MiniCMS 1.11. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Minicms
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability was found in bg5sbk MiniCMS up to 1.11 and classified as problematic.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Minicms
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Projectworld Online Voting System Version 1.0 is vulnerable to Cross Site Request Forgery (CSRF) via voter.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Online Voting System
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in kishan0725's Hospital Management System version 6.3.5. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Hospital Management System
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

MZK-DP300N firmware versions 1.04 and earlier contains a cross-site request forger vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mzk Dp300N Firmware
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give.15.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dnesscarkey Use Any Font use-any-font allows Cross Site Request Forgery.3.08. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Strawberry GraphQL is a library for creating GraphQL APIs. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Python CSRF File Upload +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack and execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Cisco CSRF +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Cisco +3
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/doAdminAction.php?act=delCate&id=31. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dingfanzu Cms
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=addCate. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dingfanzu Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Adstxt
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Easy Paypal Events
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Premium Packages Sell Digital Products Securely
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Ba Book Everything
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Frogcms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/delete/123. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Frogcms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/create_directory. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Frogcms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/?/plugin/file_manager/rename. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Frogcms
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Propertyhive
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Posts Reminder
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Enhanced Search Box
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Visual Sound
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Infolinks Ad Wrap
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM This Month

The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Lunary
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Privilege Escalation WordPress CSRF +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Favicon Generator
NVD WPScan
EPSS 0% CVSS 6.8
MEDIUM POC This Month

The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF PHP +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Blogintroduction Wordpress Plugin
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Visual Sound
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Ilc Thickbox
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Misiek Photo Album
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Easy Property Listings
NVD WPScan
EPSS 0% CVSS 5.7
MEDIUM This Month

A low privileged remote attacker can get access to CSRF tokens of higher privileged users which can be abused to mount CSRF attacks. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Tc Mguard Rs4000 4G Vzw Vpn Firmware Tc Mguard Rs4000 4G Vpn Firmware +34
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Azindex
NVD WPScan
Prev Page 34 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8447

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy