Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22817 | 1 Flycms Project | 1 Flycms | 2024-01-23 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/email/email_conf_updagte | |||||
| CVE-2024-22601 | 1 Flycms Project | 1 Flycms | 2024-01-23 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/scorerule_save | |||||
| CVE-2024-22699 | 1 Flycms Project | 1 Flycms | 2024-01-23 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/update_group_save. | |||||
| CVE-2023-3178 | 1 Wpexperts | 1 Post Smtp | 2024-01-22 | N/A | 4.3 MEDIUM |
| The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack. | |||||
| CVE-2023-0824 | 1 Wpuserplus | 1 Userplus | 2024-01-22 | N/A | 6.5 MEDIUM |
| The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2023-5900 | 1 Sfu | 1 Pkp Web Application Library | 2024-01-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16. | |||||
| CVE-2024-22568 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/del. | |||||
| CVE-2024-22591 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_save. | |||||
| CVE-2024-22592 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_update | |||||
| CVE-2024-22593 | 1 Flycms Project | 1 Flycms | 2024-01-20 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/add_group_save | |||||
| CVE-2023-51949 | 1 Verydows | 1 Verydows | 2024-01-19 | N/A | 8.8 HIGH |
| Verydows v2.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /protected/controller/backend/role_controller | |||||
| CVE-2021-24870 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2024-01-19 | N/A | 6.1 MEDIUM |
| The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload | |||||
| CVE-2021-25117 | 1 Lesterchan | 1 Wp-postratings | 2024-01-19 | N/A | 4.8 MEDIUM |
| The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled. | |||||
| CVE-2023-7083 | 1 Davidjmiller | 1 Voting Record | 2024-01-19 | N/A | 5.4 MEDIUM |
| The Voting Record WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-51063 | 1 Qstar | 1 Archive Storage Manager | 2024-01-18 | N/A | 8.8 HIGH |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level. | |||||
| CVE-2023-6242 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-01-18 | N/A | 4.3 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.7 (for Free). This is due to missing or incorrect nonce validation on the evo_eventpost_update_meta function. This makes it possible for unauthenticated attackers to update arbitrary post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6244 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-01-18 | N/A | 4.3 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (Free). This is due to missing or incorrect nonce validation on the save_virtual_event_settings function. This makes it possible for unauthenticated attackers to modify virtual event settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-27488 | 1 Fortinet | 6 Fortiai, Fortimail, Fortindr and 3 more | 2024-01-18 | N/A | 8.8 HIGH |
| A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests. | |||||
| CVE-2023-7048 | 1 Premio | 1 My Sticky Bar | 2024-01-17 | N/A | 4.3 MEDIUM |
| The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function. | |||||
| CVE-2023-4246 | 1 Givewp | 1 Givewp | 2024-01-17 | N/A | 4.3 MEDIUM |
| The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_remote_install_handler function. This makes it possible for unauthenticated attackers to install and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||