Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8447)

EPSS 0% CVSS 8.8
HIGH POC This Week

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/homePro_deal.php?mudi=del&dataType=&dataTypeCN. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=add&nohrefStr=close. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=rev&nohrefStr=close. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/share_switch.php?mudi=switch&dataType=&fieldName=state&fieldName2=state&tabName=banner&dataID=6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images shortpixel-adaptive-images.8.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Soccer Engine - Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The ADFO - Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Joli FAQ SEO - WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC This Week

The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Recaptcha Jetpack
NVD WPScan
EPSS 0% CVSS 7.1
HIGH POC This Week

The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The LetterPress WordPress plugin through 1.2.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Letterpress
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM POC This Month

The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in andy_moyle Church Admin church-admin.1.32. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Razvan Mocanu, Madalin Ungureanu, Cristophor Hurduban TranslatePress.7.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Warfare Plugins Social Warfare.4.5.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter.7.2.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in WebinarPress.33.17. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms.2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Revmakx WPCal.Io - Easy Meeting Scheduler.Io - Easy Meeting Scheduler: from n/a through 0.9.5.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Unyson Unyson unyson.7.29. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in divSpot DS Site Message.14.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Huseyin Berberoglu WP Favorite Posts.6.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Easy Digital Downloads.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Easy Digital Downloads
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass XSS CSRF +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SimpleShop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in DedeCMS 5.7.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability classified as problematic was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability classified as problematic has been found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability was found in DedeCMS 5.7 and classified as problematic.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability has been found in DedeCMS 5.7 and classified as problematic. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery vulnerability in Socomec Net Vision, version 7.20. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in DedeCMS 5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dedecms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Restaurant and Cafe.2.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Restaurant And Cafe
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Popup Box Team Popup box allows Cross-Site Scripting (XSS).1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH Act Now

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Werkzeug Debian Linux +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=clearWebCache. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/readDeal.php?mudi=updateWebCache. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Idccms
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

WordPress CSRF Mf Gig Calendar
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Mediawiki Fedora
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The CM Tooltip Glossary - Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Easy Restaurant Table Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Paid Memberships Pro - Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Paid Memberships Pro
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Svs Pricing Tables
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Svs Pricing Tables
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Upload
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The 5280 Bootstrap Modal Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

This vulnerability was a potential CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Google Firebase Command Line Interface
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload in Xserver Migrator.6.1. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload CSRF
NVD
EPSS 0% CVSS 5.2
MEDIUM POC This Month

The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Counter Box
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Herd Effects
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC This Month

The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Popup Box
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC This Week

The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Side Menu Lite
NVD WPScan
EPSS 0% CVSS 7.5
HIGH POC This Week

The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Sticky Buttons
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC This Week

The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wow Skype Buttons
NVD WPScan
EPSS 0% CVSS 5.9
MEDIUM POC This Month

The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Modal Window
NVD WPScan
EPSS 0% CVSS 3.4
LOW POC Monitor

The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Button Generator
NVD WPScan
EPSS 0% CVSS 4.5
MEDIUM POC This Month

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Float Menu
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability exists in TvRock 0.9t8a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Multiple security vulnerabilities has been discovered in web interface of NetGuardian DIN Remote Telemetry Unit (RTU), by DPS Telecom. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass XSS CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Sandor Kovacs Regenerate post permalink allows Cross-Site Scripting (XSS).0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Piotnet Piotnet Addons For Elementor Pro.1.17. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Sticky Anything allows Cross-Site Scripting (XSS).1.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS CSRF
NVD
EPSS 0% CVSS 3.8
LOW POC Monitor

The MM-email2image WordPress plugin through 0.2.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OptinMonster Popup Builder Team OptinMonster.15.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Jegstudio Financio.1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station radio-station.5.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.0.31. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Teluro
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Republic Hide Dashboard Notifications.2.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Cookie Information A/S WP GDPR Compliance.0.23. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mainwp Child Reports
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in FameThemes FameTheme Demo Importer.1.5. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in eranfl ClickCease Click Fraud Protection clickcease-click-fraud-protection.2.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.5.70. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Matthew Fries MF Gig Calendar.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mf Gig Calendar
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Serious Slider.2.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brijesh Kothari Smart Maintenance Mode.4.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
Prev Page 39 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8447

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy