| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In Bitaxe ESP-Miner before 2.5.0 with AxeOS, one can use an /api/system CSRF attack to update the payout address (aka stratumUser) for a Bitaxe Bitcoin miner, or change the frequency and voltage settings. |
| Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Cross Site Request Forgery.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. |
| The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. |
| The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrect nonce validation on the 'ELISQLREPORTS_menu' function. This makes it possible for unauthenticated attackers to execute code on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Version 5.25.10 adds a nonce check, which makes this vulnerability exploitable by admins only. |
| The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| In Shenzhen C-Data Technology Co. FD602GW-DX-R410 (firmware v2.2.14), the web management interface contains an authenticated CSRF vulnerability on the reboot endpoint (/boaform/admin/formReboot). An attacker can craft a malicious webpage that, when visited by an authenticated administrator, causes the router to reboot without explicit user consent. This lack of CSRF protection on a sensitive administrative function can lead to denial of service by disrupting network availability. |
| Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. |
| The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Soccer Engine – Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation when saving match and team settings. This makes it possible for unauthenticated attackers to change plugin settings as well as teams, players, etc. via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack. |
| The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name="referrer" content="never">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue. |
| Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS.This issue affects PDF Creator Lite: from n/a through <= 1.2. |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager. |
| Improper access control in the endpoint /RoleMenuMapping/AddRoleMenu of Digiteam v4.21.0.0 allows authenticated attackers to escalate privileges. |
| The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. |
| The Transporters.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
