Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2549 | 1 Featherplugins | 1 Feather Login Page | 2023-11-07 | N/A | 8.8 HIGH |
| The Feather Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions starting from 1.0.7 up to, and including, 1.1.1. This is due to missing nonce validation in the 'createTempAccountLink' function. This makes it possible for unauthenticated attackers to create a new user with administrator role via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can leverage CVE-2023-2545 to get the login link or request a password reset to the new user's email address. | |||||
| CVE-2023-2528 | 1 Supsystic | 1 Contact Form | 2023-11-07 | N/A | 8.8 HIGH |
| The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2416 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for unauthenticated to logout a vctia connected account which would cause a denial of service on the appointment scheduler, via a forged request granted they can trick a site user into performing an action such as clicking on a link. | |||||
| CVE-2023-2407 | 1 Vcita | 2 Event Registration Calendar By Vcita, Online Payments - Get Paid With Paypal\, Square \& Stripe | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2405 | 1 Vcita | 1 Crm And Lead Management By Vcita | 2023-11-07 | N/A | 6.5 MEDIUM |
| The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2303 | 1 Vcita | 1 Contact Form And Calls To Action By Vcita | 2023-11-07 | N/A | 6.1 MEDIUM |
| The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.4. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2301 | 1 Vcita | 1 Contact Form Builder By Vcita | 2023-11-07 | N/A | 6.1 MEDIUM |
| The Contact Form Builder by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.1. This is due to missing nonce validation on the ls_parse_vcita_callback function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2286 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-29008 | 1 Svelte | 1 Sveltekit | 2023-11-07 | N/A | 8.8 HIGH |
| The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed in versions prior to 1.15.2 by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters, but this check does not block all expected CORS requests. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. This may lead to all POST operations requiring authentication being allowed in the following cases: If the target site sets `SameSite=None` on its auth cookie and the user visits a malicious site in a Chromium-based browser; if the target site doesn't set the `SameSite` attribute explicitly and the user visits a malicious site with Firefox/Safari with tracking protections turned off; and/or if the user is visiting a malicious site with a very outdated browser. SvelteKit 1.15.2 contains a patch for this issue. It is also recommended to explicitly set `SameSite` to a value other than `None` on authentication cookies especially if the upgrade cannot be done in a timely manner. | |||||
| CVE-2023-29003 | 1 Svelte | 1 Sveltekit | 2023-11-07 | N/A | 8.8 HIGH |
| SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request. | |||||
| CVE-2023-28718 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2023-11-07 | N/A | 8.0 HIGH |
| Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests. This may allow an attacker to perform certain actions with administrative privileges if a logged-in user visits a malicious website. | |||||
| CVE-2023-25991 | 1 Metagauss | 1 Registrationmagic | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in RegistrationMagic plugin <= 5.1.9.2 versions. | |||||
| CVE-2023-25973 | 1 Autoaffiliatelinks | 1 Auto Affiliate Links | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3.0.2 versions. | |||||
| CVE-2023-25968 | 1 Cozmoslabs | 1 Client Portal | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin Ungureanu, Antohe Cristian Client Portal – Private user pages and login plugin <= 1.1.8 versions. | |||||
| CVE-2023-25709 | 1 Plainware | 1 Locatoraid | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Plainware Locatoraid Store Locator plugin <= 3.9.11 versions. | |||||
| CVE-2023-25708 | 1 Coderex | 1 Wp Vr | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions. | |||||
| CVE-2023-25569 | 1 Apolloconfig | 1 Apollo | 2023-11-07 | N/A | 5.7 MEDIUM |
| Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages. | |||||
| CVE-2023-25170 | 1 Prestashop | 1 Prestashop | 2023-11-07 | N/A | 8.8 HIGH |
| PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1. | |||||
| CVE-2023-25066 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in FolioVision FV Flowplayer Video Player plugin <= 7.5.30.7212 versions. | |||||
| CVE-2023-25065 | 1 Shapedplugin | 1 Wp Tabs | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in ShapedPlugin WP Tabs – Responsive Tabs Plugin for WordPress plugin <= 2.1.14 versions. | |||||