Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8444)

EPSS 0% CVSS 6.5
MEDIUM This Month

Tenda AC7 firmware through V03.03.03.01_cn lacks CSRF protections on administrative web functions, enabling attackers to trick authenticated administrators into executing unauthorized configuration changes. An unauthenticated attacker can craft malicious requests that, when visited by an admin, modify router settings without their knowledge or consent. No patch is currently available.

CSRF Ac7 Firmware
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

CSRF Aion
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 6.5 MEDIUM]

CSRF Open Eclass Platform
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC This Month

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. [CVSS 6.4 MEDIUM]

.NET XSS CSRF +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Blair Williams ThirstyAffiliates thirstyaffiliates is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

UsersWP plugin versions 1.2.53 and earlier contain a CSRF vulnerability that enables attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. An attacker can craft malicious requests to modify user data or settings through a victim's browser session. No patch is currently available for this vulnerability.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated attackers can perform Cross-Site Request Forgery (CSRF) attacks against users of Enter Addons version 2.3.2 and earlier, potentially modifying victim data through unwanted actions. The vulnerability requires user interaction to succeed but carries no authentication barriers, allowing attackers to forge requests that alter application state. No patch is currently available to remediate this issue.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

wp.insider Simple Membership WP user Import simple-membership-wp-user-import is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Copyscape Copyscape Premium copyscape-premium is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sigmize through version 0.0.9 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users. The flaw requires user interaction but could enable unauthorized modifications or state changes within the application. No patch is currently available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

magepeopleteam WpEvently mage-eventpress is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Unauthenticated attackers can perform unauthorized actions on WRC-X1500GS-B and WRC-X1500GSA-B routers through cross-site request forgery attacks that exploit the lack of CSRF protections. An attacker can trick authenticated users into visiting a malicious webpage that silently executes unwanted commands on the affected device. No patch is currently available.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.

WordPress XSS CSRF
NVD
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enabling attackers to conduct login CSRF attacks against GitHub and Google login flows. An attacker can pre-authenticate a victim's session and trick them into logging into the attacker's account, causing the victim's data and academic progress to be stored on the attacker's account instead. Public exploit code exists for this vulnerability, and a patch is available.

Github CSRF Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Missing CSRF protection in Tuleap's Overview inconsistent items feature allows authenticated attackers to trick users into performing unwanted actions via crafted requests, potentially leading to unauthorized artifact link creation and data manipulation. The vulnerability affects multiple Tuleap versions and has been patched in Community Edition 17.0.99.1768924735 and Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. This requires user interaction and valid credentials but poses a moderate risk to Tuleap deployments.

CSRF Tuleap
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. [CVSS 8.8 HIGH]

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Five Star Restaurant Reservations WordPre versions up to 2.7.9 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD WPScan
EPSS 0% CVSS 2.1
LOW POC Monitor

Medical Certificate Generator App versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Medical Certificate Generator App
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Popup Box WordPress plugin through version 6.1.1 contains a Cross-Site Request Forgery vulnerability where the nonce validation mechanism accepts internally-generated tokens instead of user-submitted ones, allowing unauthenticated attackers to alter popup publish status through social engineering attacks targeting site administrators. An attacker can trick an admin into clicking a malicious link to toggle popups on or off without their knowledge or consent. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. [CVSS 4.3 MEDIUM]

CSRF Navigate Cms
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. [CVSS 5.3 MEDIUM]

CSRF
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM This Month

birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. [CVSS 5.3 MEDIUM]

CSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. [CVSS 5.3 MEDIUM]

CSRF Liman
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH]

Drupal CSRF Acquia Content Hub
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1).

Drupal CSRF Login Time Restriction
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Syncbreeze Diskpulse
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Ezcast Pro Dongle Ii Firmware versions up to 1.17478.146 is affected by improper input validation (CVSS 8.8).

CSRF Ezcast Pro Dongle Ii Firmware
NVD
EPSS 0%
NONE PATCH Awaiting Data

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery.

Python CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Tenda W30E V2 firmware through V16.01.0.19(5037) lacks CSRF protections on administrative functions, enabling attackers to hijack authenticated admin sessions and modify configuration settings or reset administrator credentials. An attacker can craft malicious requests that execute with the privileges of a logged-in administrator when visited in their browser. No patch is currently available for this vulnerability.

CSRF W30e Firmware
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.

WordPress CSRF Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails is affected by cross-site request forgery (csrf) (CVSS 4.7).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

GeoDirectory versions before 2.8.150 are vulnerable to cross-site request forgery attacks that could allow an attacker to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction to exploit and can result in integrity violations, though no patch is currently available.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

John James Jacoby WP Term Order wp-term-order is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Timur Kamaev Kama Thumbnail kama-thumbnail is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Merge + Minify + Refresh WordPress plugin through version 2.14 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft malicious requests to trick site administrators into executing unintended operations, potentially compromising website functionality or configuration. No patch is currently available for this vulnerability.

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

teachPress through version 9.0.12 is vulnerable to Cross-Site Request Forgery attacks that enable unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability requires user interaction and can result in data integrity compromise or service disruption, though confidentiality is not affected. No patch is currently available for this vulnerability.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SearchAzon versions 1.4 and earlier are vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthenticated attackers to perform unauthorized actions on behalf of users. The vulnerability requires user interaction and has limited impact, restricted to integrity violations without affecting confidentiality or availability. No patch is currently available for this issue.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

AA-Team Wordpress Movies Bulk Importer movies importer is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 7.1
HIGH This Week

gregmolnar Simple XML Sitemap simple-xml-sitemap is affected by cross-site request forgery (csrf) (CVSS 7.1).

CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Online Course Registration versions up to 3.1 is affected by cross-site request forgery (csrf) (CVSS 6.5).

CSRF Online Course Registration
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite is affected by cross-site request forgery (csrf) (CVSS 8.8).

CSRF
NVD
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Horilla HRMS version 1.4.0 contains insufficient input validation in its XSS prevention function, allowing attackers to bypass protections through context-agnostic regex patterns. Public exploit code exists for this vulnerability, enabling attackers to redirect users to malicious sites, execute arbitrary JavaScript, and steal CSRF tokens for use in admin-targeted attacks. The vulnerability affects Horilla 1.4.0 and has been patched in version 1.5.0.

XSS CSRF Horilla
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. [CVSS 5.3 MEDIUM]

XSS CSRF Getsimplecms
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. [CVSS 6.5 MEDIUM]

RCE CSRF Getsimplecms
NVD GitHub Exploit-DB
EPSS 0% CVSS 3.5
LOW Monitor

IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 3.5 LOW]

IBM CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Newsletter WordPress plugin through version 9.1.0 contains a cross-site request forgery vulnerability in the hook_newsletter_action() function due to insufficient nonce validation, allowing unauthenticated attackers to unsubscribe legitimate users if they can trick a logged-in administrator into clicking a malicious link. This attack requires user interaction but poses a direct integrity risk to newsletter subscriber lists. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery (CSRF) in Birkir Prime through version 0.4.0.beta.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web requests. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch has been released as of this advisory.

CSRF Prime
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery in Mpay up to version 1.2.4 allows unauthenticated remote attackers to perform unauthorized actions via a crafted request. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to attack.

CSRF Mpay
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Patients Waiting Area Queue Management System
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

PHPGurukul News Portal 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The flaw affects the integrity of user actions but does not compromise confidentiality or availability.

CSRF News Portal
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Kimai versions prior to 2.46.0 contain an overly permissive Twig sandbox configuration in the export functionality that allows authenticated users with export permissions to execute arbitrary method calls and extract sensitive data such as environment variables, password hashes, and session tokens. Public exploit code exists for this vulnerability. The issue is resolved in version 2.46.0 and later.

CSRF Kimai
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

LEAV Last Email Address Validator (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. [CVSS 5.3 MEDIUM]

CSRF
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.4
HIGH POC This Week

Cross-Site Request Forgery (CSRF) in Easy!Appointments 1.5.2 and earlier allows remote attackers to perform administrative actions including admin account creation, credential modification, and full account takeover by tricking authenticated administrators into visiting a malicious page. The vulnerability stems from incomplete CSRF protection that only validates POST requests while state-changing operations accept GET parameters. A publicly available exploit exists (GitHub Security Advisory GHSA-54v4-4685-vwrj), though EPSS exploitation probability is low (0.01%, 1st percentile) and the vulnerability is not listed in CISA KEV, suggesting limited real-world exploitation to date.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. [CVSS 6.5 MEDIUM]

CSRF Arunna
NVD GitHub Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SocialChamp with WordPress (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]

WordPress PHP SQLi +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Prowise Reflect 1.0.9 exposes a WebSocket on port 8082 that accepts unauthenticated keyboard injection commands. Malicious web pages can type keystrokes and open applications on the display device. PoC available.

CSRF Reflect
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

SAP Fiori App Intercompany Balance Reconciliation an attacker is affected by cross-site request forgery (csrf) (CVSS 4.3).

SAP Industrial CSRF
NVD
EPSS 0% CVSS 2.4
LOW PATCH Monitor

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. [CVSS 2.4 LOW]

CSRF Pilos
NVD GitHub
Prev Page 9 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8444

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy