Total
8807 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13520 | 2 Mtcaptcha, Wordpress | 2 Wordpress Plugin, Wordpress | 2026-01-08 | 4.3 Medium |
| The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14468 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 4.3 Medium |
| The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled. | ||||
| CVE-2024-37937 | 2 Rarathemes, Wordpress | 2 Rara Business, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Rara Business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through 1.2.5. | ||||
| CVE-2024-37508 | 1 Rarathemes | 1 Construction Landing Page | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Construction Landing Page allows Cross Site Request Forgery.This issue affects Construction Landing Page: from n/a through 1.3.5. | ||||
| CVE-2024-37503 | 2 Rarathemes, Wordpress | 2 Lawyer Landing Page, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Lawyer Landing Page allows Cross Site Request Forgery.This issue affects Lawyer Landing Page: from n/a through 1.2.4. | ||||
| CVE-2024-37451 | 2 Rarathemes, Wordpress | 2 Travel Agency, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Travel Agency allows Cross Site Request Forgery.This issue affects Travel Agency: from n/a through 1.4.9. | ||||
| CVE-2024-37450 | 2 Rarathemes, Wordpress | 2 Benevolent, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4. | ||||
| CVE-2024-37435 | 1 Rarathemes | 1 Perfect Portfolio | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0. | ||||
| CVE-2024-31205 | 1 Saleor | 1 Saleor | 2026-01-07 | 4.2 Medium |
| Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`. | ||||
| CVE-2024-31371 | 2 Wordpress, Xylusthemes | 2 Wordpress, Wp Event Aggregator | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Xylus Themes WP Event Aggregator.This issue affects WP Event Aggregator: from n/a through 1.7.6. | ||||
| CVE-2024-33688 | 2 Extendthemes, Wordpress | 2 Teluro, Teluro Theme | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.This issue affects Teluro: from n/a through 1.0.31. | ||||
| CVE-2022-47443 | 1 Danielpowney | 1 Multi Rating | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions. | ||||
| CVE-2024-31429 | 2 Blossomthemes, Wordpress | 2 Sarada, Wordpress | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Sarada Lite.This issue affects Sarada Lite: from n/a through 1.1.2. | ||||
| CVE-2024-37243 | 2 Blossomthemes, Wordpress | 2 Vandana, Wordpress | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9. | ||||
| CVE-2023-50931 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 2.0.1 for Bitbucket. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Bitbucket, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2023-50932 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 4.0.2 for Confluence. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Confluence, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2025-14163 | 2 Leap13, Wordpress | 2 Premium Addons For Elementor, Wordpress | 2026-01-05 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | ||||
| CVE-2024-6719 | 2 Webgarh, Wordpress | 2 Offload Videos, Wordpress | 2026-01-05 | 8.1 High |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | ||||
| CVE-2025-65203 | 1 Keepassxc | 1 Keepassxc-browser | 2026-01-05 | 7.1 High |
| KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | ||||
| CVE-2018-25152 | 1 Ecessa | 1 Edge Ev150 | 2026-01-05 | 5.3 Medium |
| Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. | ||||