Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8444)

EPSS 0% CVSS 8.8
HIGH POC This Week

Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. [CVSS 8.2 HIGH]

RCE SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. [CVSS 8.2 HIGH]

PHP SQLi CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. [CVSS 4.3 MEDIUM]

CSRF File Upload
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM This Month

QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges.

CSRF
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WooCommerce plugin versions 5.4.0 through 10.5.2 fail to properly validate batch requests, enabling unauthenticated attackers to execute administrative actions through CSRF attacks, including creation of arbitrary admin accounts. The vulnerability affects all WordPress installations running vulnerable WooCommerce versions and requires user interaction to exploit. No patch is currently available.

WordPress CSRF
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD WPScan
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.

CSRF Gokapi Suse
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Idno prior to version 1.6.4 contains an authentication bypass in the URL unfurl API endpoint that allows unauthenticated attackers to trigger arbitrary outbound HTTP requests from the server. An attacker can exploit this to access internal network addresses and cloud metadata services, potentially exposing sensitive configuration and credentials. No patch is currently available for affected installations.

CSRF SSRF Known
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. [CVSS 8.1 HIGH]

CSRF Chamilo Lms
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.

CSRF Openclaw
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

CSRF Privilege Escalation Authentication Bypass +6
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misint...

CSRF Mercurius
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Configuration that allows authenticated administrators to modify security settings without valid CSRF token validation. An attacker with administrative privileges can exploit this to bypass security controls by manipulating the group_id parameter before token verification occurs. Public exploit code exists for this vulnerability, and a patch is available.

CSRF Concrete Cms
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Impact Mobile versions up to 19.11.2.10-20210118042150283 is affected by cross-site request forgery (csrf) (CVSS 8.1).

CSRF Impact Mobile
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. [CVSS 6.1 MEDIUM]

CSRF Clininet
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unauthenticated account creation in phpMyFAQ versions before 4.0.18 allows remote attackers to register unlimited user accounts through the WebAuthn prepare endpoint without authentication, CSRF protection, or captcha validation, even when registration is disabled. Public exploit code exists for this vulnerability. Update to version 4.0.18 or later to remediate.

CSRF Phpmyfaq
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Sl902 Swtgw124as Firmware
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.

XSS CSRF Osctrl +1
NVD GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. [CVSS 3.1 LOW]

CSRF Blockchain
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 2.6
LOW POC Monitor

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. [CVSS 2.6 LOW]

PHP CSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-site request forgery in Parse Dashboard (versions 7.3.0-alpha.42 through 9.0.0-alpha.7) lets a remote attacker abuse the unprotected AI Agent endpoint (POST /apps/:appId/agent), which lacks CSRF protection and a session-bound token. By luring an authenticated dashboard operator to a malicious web page, the attacker forces agent requests to execute under the victim's session, driving state-changing operations against managed Parse Server apps. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue is fixed in 9.0.0-alpha.8.

CSRF Parse Dashboard
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Unauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remote attackers operate against any connected Parse Server using the master key. Affected builds span the 7.3.0-alpha.42 through 9.0.0-alpha.7 pre-releases, but only deployments that have explicitly enabled the opt-in agent feature are exposed. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the chained authentication/CSRF/authorization gaps make exploitation trivial where the feature is configured.

CSRF Parse Dashboard Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenEMR prior to version 8.0.0 allows low-privileged users to export sensitive patient and medical data through the message_list.php report functionality due to missing access controls. The vulnerability affects receptionists and similar roles who can bypass authorization checks to extract entire message databases containing confidential information. Public exploit code exists for this issue, though a patch is available in version 8.0.0 and later.

PHP CSRF Openemr
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. [CVSS 7.5 HIGH]

Golang MySQL CSRF +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized configuration changes in Binardat 10G08-0800GSM network switches (firmware V300SP10260209 and prior) result from missing CSRF protections in the administrative interface. An attacker can craft a malicious request to trick an authenticated administrator into modifying switch settings without their knowledge or consent. No patch is currently available for this vulnerability.

CSRF 10g08 0800gsm Firmware
NVD
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Bludit 3.16.1 lacks CSRF protections on administrative endpoints, allowing attackers to trick authenticated admins into uninstalling plugins or installing malicious themes via crafted web requests. Public exploit code exists for this vulnerability, enabling unauthorized modification of site functionality and potential code execution through untrusted theme installation.

CSRF Bludit
NVD GitHub
EPSS 0%
This Week

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Tenda F3 Wireless Router firmware lacks CSRF protections in its administrative interface, enabling attackers to trick authenticated administrators into making unauthorized configuration changes through crafted requests. An unauthenticated attacker can exploit this to modify router settings by socially engineering an admin into visiting a malicious webpage. No patch is currently available for this vulnerability.

CSRF F3 Firmware
NVD
EPSS 0% CVSS 7.4
HIGH This Week

CollabPlatform's misconfigured CORS policy allows credentialed cross-origin requests from attacker-controlled domains, enabling unauthorized access to sensitive user account data including email addresses, account identifiers, and MFA status. All versions of the application are affected by this vulnerability, which remains unpatched and exploitable through simple web-based attacks requiring user interaction.

CSRF Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.5
MEDIUM POC This Month

Arbitrary file upload in GetSimple CMS results from missing CSRF protection on the administrative upload endpoint, allowing an attacker to silently inject files through a malicious webpage visited by an authenticated admin. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker needs only to trick an authenticated user into visiting a crafted page to compromise the application.

CSRF Getsimple Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. [CVSS 8.8 HIGH]

PHP CSRF Phpmoadmin
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

XSS CSRF Orientdb
NVD Exploit-DB
EPSS 0%
PATCH Monitor

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning.

CSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Web Site Management Server versions up to 16.7.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

CSRF Web Site Management Server
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.

CSRF AI / ML Openclaw
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Moose Kenta Companion kenta-companion is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

ThimPress RealPress versions up to 1.1.0 are vulnerable to cross-site request forgery attacks that could allow attackers to perform unauthorized actions on behalf of authenticated users. An attacker can exploit this vulnerability by tricking users into visiting a malicious webpage, resulting in integrity and availability impacts. No patch is currently available for this vulnerability.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Themes4WP Popularis Extra popularis-extra is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

themastercut Revision Manager TMC revision-manager-tmc is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Coachify versions 1.1.5 and earlier contain a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users through crafted requests. An attacker can leverage this to modify user data or trigger unwanted functionality with user interaction. No patch is currently available for this vulnerability.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

PublishPress PublishPress Revisions revisionary is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

wpzita Zita Elementor Site Library zita-site-library is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload endpoints. PoC and patch available.

CSRF Gogs Suse
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]

WordPress RCE CSRF +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Hospital Management System versions up to 4.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

PHP CSRF Hospital Management System
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site request forgery (CSRF) in newbee-mall affects multiple endpoints, allowing unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability. No patch is currently available, and the project maintainers have not responded to the early disclosure notification.

CSRF
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.

WordPress CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

IBM Linux Windows +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 6.5 MEDIUM]

IBM CSRF Concert
NVD
EPSS 0% CVSS 3.5
LOW POC Monitor

Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).

PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.

CSRF AI / ML Fastgpt
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).

CSRF Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]

CSRF Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.0
MEDIUM POC This Month

FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. [CVSS 4.0 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 3.6
LOW Monitor

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. [CVSS 3.6 LOW]

CSRF Chrome
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

HP OfficeJet Pro printers (D9l18a, D9l20a, D9l21a, D9l63a firmware) are vulnerable to information disclosure through CORS misconfiguration when administrators enable the feature on the Embedded Web Server. An unauthenticated remote attacker can exploit this to access sensitive device resources from untrusted web origins. CORS remains disabled by default as a mitigation, but organizations that have explicitly enabled it should apply patches when available.

CSRF HP J3p68a Firmware +40
NVD
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plain content instead of enforcing application/json, enabling attackers to modify project user roles through malicious forms. An authenticated admin visiting a malicious website could be tricked into unknowingly changing role assignments, potentially granting unauthorized access to projects. Public exploit code exists for this vulnerability, though a patch is available in version 1.2.50 and later.

CSRF Kanboard
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthenticated attackers to perform unauthorized actions on behalf of logged-in users through malicious websites. An attacker can exploit this vulnerability to modify placement records, access sensitive educational data, or compromise institutional operations without user knowledge. No patch is currently available.

CSRF Placipy
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.

Golang CSRF Fiber +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product is vulnerable to Cross-Site Request Forgery (CSRF). [CVSS 5.4 MEDIUM]

CSRF Fast Tools
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. [CVSS 4.3 MEDIUM]

CSRF Wing Ftp Server
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

Ew-7438Rpn Mini Firmware versions up to 1.27 is affected by cross-site request forgery (csrf) (CVSS 8.1).

CSRF Ew 7438rpn Mini Firmware
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. [CVSS 4.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 3.5
LOW POC Monitor

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. [CVSS 3.5 LOW]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary adminis...

CSRF Axigen Mail Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Log Analysis versions 1.3.5.0 versions up to 1.3.8.3 is affected by cross-site request forgery (csrf) (CVSS 4.3).

IBM Industrial CSRF
NVD
EPSS 0% CVSS 2.1
LOW Monitor

lcg0124 BootDo is susceptible to cross-site request forgery (CSRF) attacks due to insufficient request validation, allowing remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability, though no patch is currently available. The rolling release model used by this product complicates version tracking for affected and patched instances.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.

CSRF Qwik
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]

CSRF Qwik
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Ew-7438Rpn Mini Firmware versions up to 1.13 is affected by cross-site request forgery (csrf) (CVSS 5.3).

CSRF Ew 7438rpn Mini Firmware
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
Prev Page 8 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8444

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy