Total
8237 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8507 | 1 Filemanagerpro | 1 File Manager | 2024-10-17 | 8.8 High |
| The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. This is due to missing or incorrect nonce validation on the 'mk_file_folder_manager' ajax action. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-47828 | 1 Ampache | 1 Ampache | 2024-10-17 | 5.3 Medium |
| ampache is a web based audio/video streaming application and file manager. A CSRF attack can be performed in order to delete objects (Playlist, smartlist etc.). Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. This vulnerability can be exploited by creating a malicious script with an arbitrary playlist ID belonging to another user. When the user submits the request, their playlist will be deleted. Any User with active sessions who are tricked into submitting a malicious request are impacted, as their playlists or other objects could be deleted without their consent. | ||||
| CVE-2024-47846 | 2 Mediawiki, Wikimedia | 2 Cargo, Mediawiki-cargo | 2024-10-16 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1. | ||||
| CVE-2020-36839 | 2024-10-16 | 8.3 High | ||
| The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.99. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative actions, such as adding pages to the site and/or replacing site content with malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-39408 | 1 Adobe | 2 Commerce, Magento | 2024-10-16 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changeson behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction. | ||||
| CVE-2024-39409 | 1 Adobe | 2 Commerce, Magento | 2024-10-16 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changes on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction. | ||||
| CVE-2024-39410 | 1 Adobe | 2 Commerce, Magento | 2024-10-16 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changes on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-9592 | 2024-10-15 | 6.1 Medium | ||
| The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgc_plugin_options' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-8477 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-10-15 | 4.3 Medium |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-1342 | 2024-10-14 | 4.2 Medium | ||
| Unable to reproduce. | ||||
| CVE-2024-8520 | 1 Ultimatemember | 1 Ultimate Member | 2024-10-08 | 5.3 Medium |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the admin_init or user_action_hook function. This makes it possible for unauthenticated attackers to modify a users membership status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-47644 | 2024-10-07 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Copyscape / Indigo Stream Technologies Copyscape Premium allows Stored XSS.This issue affects Copyscape Premium: from n/a through 1.3.6. | ||||
| CVE-2024-47635 | 1 Tinypng | 1 Tinypng | 2024-10-07 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in TinyPNG.This issue affects TinyPNG: from n/a through 3.4.3. | ||||
| CVE-2024-7689 | 2 Snapshot Backup Project, Versluis | 2 Snapshot Backup, Snapshot-backup | 2024-10-07 | 4.7 Medium |
| The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-7687 | 2 Azindex Project, Azindex Wordpress Plugin | 2 Azindex, Azindex Wordpress Plugin | 2024-10-07 | 6.1 Medium |
| The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-7688 | 2 Azindex Project, Azindex Wordpress Plugin | 2 Azindex, Azindex Wordpress Plugin | 2024-10-07 | 6.5 Medium |
| The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack | ||||
| CVE-2024-7892 | 2 Vladyslav Bondarenko, Vladyslavbondarenko | 2 Adstxt, Adstxt | 2024-10-07 | 4.3 Medium |
| The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-7690 | 1 Digireturn | 2 Dn-popup, Dn Popup | 2024-10-07 | 5.4 Medium |
| The DN Popup WordPress plugin through 1.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-28948 | 1 Advantech | 2 Adam-5630, Adam-5630 Firmware | 2024-10-04 | 8 High |
| Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. | ||||
| CVE-2024-8458 | 2 Planet, Planet Technology Corp | 6 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 3 more | 2024-10-04 | 8.8 High |
| Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts. | ||||