Total
8506 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1000137 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 8.8 High |
| I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. | ||||
| CVE-2025-11759 | 2 Watchful, Wordpress | 2 Xcloner, Wordpress | 2025-12-05 | 4.3 Medium |
| The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | ||||
| CVE-2025-13362 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13144 | 2 Contentstudio, Wordpress | 2 Contentstudio, Wordpress | 2025-12-05 | 4.3 Medium |
| The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13360 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-10055 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12128 | 1 Wordpress | 1 Wordpress | 2025-12-05 | 4.3 Medium |
| The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12190 | 2 Duddi, Wordpress | 2 Image Optimizer, Wordpress | 2025-12-05 | 4.3 Medium |
| The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-59114 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-59112 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-59110 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-11154 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-05 | 5.4 Medium |
| The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-13790 | 1 Scada-lts | 1 Scada-lts | 2025-12-04 | 4.3 Medium |
| A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65840 | 2 Publiccms, Sanluan | 2 Publiccms, Publiccms | 2025-12-04 | 8.8 High |
| PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | ||||
| CVE-2025-13871 | 1 Objectplanet | 1 Opinio | 2025-12-04 | 8.8 High |
| Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication. | ||||
| CVE-2025-13140 | 2 Devsoftbaltic, Wordpress | 2 Surveyjs Drag Drop Wordpress Form Builder, Wordpress | 2025-12-04 | 4.3 Medium |
| The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13685 | 2 Ays-pro, Wordpress | 2 Photo Gallery, Wordpress | 2025-12-04 | 4.3 Medium |
| The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12358 | 4 Elementor, Roxnor, Woocommerce and 1 more | 4 Elementor, Shopengine Elementor Woocommerce Builder Addon, Woocommerce and 1 more | 2025-12-04 | 4.3 Medium |
| The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link. | ||||
| CVE-2025-65027 | 1 Rommapp | 1 Romm | 2025-12-04 | 7.6 High |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2025-66061 | 3 Castos, Craig Hewitt, Wordpress | 3 Seriously Simple Podcasting, Seriously Simple Podcasting, Wordpress | 2025-12-04 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Cross Site Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | ||||