Total
5841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22699 | 1 Flycms Project | 1 Flycms | 2024-01-23 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/update_group_save. | |||||
| CVE-2023-3178 | 1 Wpexperts | 1 Post Smtp | 2024-01-22 | N/A | 4.3 MEDIUM |
| The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack. | |||||
| CVE-2023-0824 | 1 Wpuserplus | 1 Userplus | 2024-01-22 | N/A | 6.5 MEDIUM |
| The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2023-5900 | 1 Sfu | 1 Pkp Web Application Library | 2024-01-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2024-22568 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/del. | |||||
| CVE-2024-22591 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_save. | |||||
| CVE-2024-22592 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_update | |||||
| CVE-2024-22593 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/add_group_save | |||||
| CVE-2023-51949 | 1 Verydows | 1 Verydows | 2024-01-19 | N/A | 8.8 HIGH |
| Verydows v2.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /protected/controller/backend/role_controller | |||||
| CVE-2021-24870 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2024-01-19 | N/A | 6.1 MEDIUM |
| The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload | |||||
| CVE-2021-25117 | 1 Lesterchan | 1 Wp-postratings | 2024-01-19 | N/A | 4.8 MEDIUM |
| The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled. | |||||
| CVE-2023-7083 | 1 Davidjmiller | 1 Voting Record | 2024-01-19 | N/A | 5.4 MEDIUM |
| The Voting Record WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-51063 | 1 Qstar | 1 Archive Storage Manager | 2024-01-18 | N/A | 8.8 HIGH |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level. | |||||
| CVE-2023-6242 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-01-18 | N/A | 4.3 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.7 (for Free). This is due to missing or incorrect nonce validation on the evo_eventpost_update_meta function. This makes it possible for unauthenticated attackers to update arbitrary post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6244 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-01-18 | N/A | 4.3 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (Free). This is due to missing or incorrect nonce validation on the save_virtual_event_settings function. This makes it possible for unauthenticated attackers to modify virtual event settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-27488 | 1 Fortinet | 6 Fortiai, Fortimail, Fortindr and 3 more | 2024-01-18 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests. | |||||
| CVE-2023-7048 | 1 Premio | 1 My Sticky Bar | 2024-01-17 | N/A | 4.3 MEDIUM |
| The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function. | |||||
| CVE-2023-4246 | 1 Givewp | 1 Givewp | 2024-01-17 | N/A | 4.3 MEDIUM |
| The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_remote_install_handler function. This makes it possible for unauthenticated attackers to install and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6520 | 1 Melapress | 1 Wp 2fa | 2024-01-17 | N/A | 4.3 MEDIUM |
| The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if a nonce is set. By omitting a nonce from the request, the check can be bypassed. | |||||
| CVE-2023-50932 | 1 Savignano | 1 S\/notify | 2024-01-17 | N/A | 7.1 HIGH |
| An issue was discovered in savignano S/Notify before 4.0.2 for Confluence. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Confluence, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | |||||