Search
Total
904 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0345 | 1 Madewithfuel | 1 Customize Wordpress Emails And Alerts | 2023-08-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.). | |||||
| CVE-2022-0164 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2023-08-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users | |||||
| CVE-2022-0363 | 1 Mycred | 1 Mycred | 2023-08-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | |||||
| CVE-2022-0398 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2023-08-02 | 4.9 MEDIUM | 5.4 MEDIUM |
| The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website | |||||
| CVE-2022-0444 | 1 Watchful | 1 Xcloner | 2023-08-02 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. | |||||
| CVE-2022-3082 | 1 Miniorange | 1 Discord Integration | 2023-08-02 | N/A | 6.5 MEDIUM |
| The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example | |||||
| CVE-2023-3414 | 1 Jenkins | 1 Servicenow Devops | 2023-08-01 | N/A | 6.5 MEDIUM |
| A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform. | |||||
| CVE-2023-39156 | 1 Jenkins | 1 Bazaar | 2023-08-01 | N/A | 5.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags. | |||||
| CVE-2023-28023 | 1 Hcltech | 1 Bigfix Webui | 2023-08-01 | N/A | 6.5 MEDIUM |
| A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its network). | |||||
| CVE-2023-39153 | 1 Jenkins | 1 Gitlab Authentication | 2023-07-31 | N/A | 5.4 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account. | |||||
| CVE-2023-3977 | 2023-07-28 | N/A | 4.3 MEDIUM | ||
| Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for unauthenticated attackers to install plugins from the limited list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-36404 | 1 Coleds | 1 Simple Seo | 2023-07-26 | N/A | 5.4 MEDIUM |
| Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions. | |||||
| CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2022-07-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | |||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2022-07-30 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2022-2071 | 1 Name Directory Project | 1 Name Directory | 2022-07-29 | N/A | 6.1 MEDIUM |
| The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2021-24328 | 1 Clogica | 1 Wp Login Security And History | 2022-07-29 | 3.5 LOW | 6.2 MEDIUM |
| The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2022-07-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2022-07-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | |||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | |||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users | |||||
| CVE-2021-24642 | 1 Scroll Banner Project | 1 Scroll Banner | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSS | |||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used. | |||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
| CVE-2021-24618 | 1 Wbolt | 1 Donate With Qrcode | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. | |||||
| CVE-2021-24504 | 1 Wplearnmanager | 1 Wp Learn Manager | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated) | |||||
| CVE-2021-24467 | 1 Leaflet Map Project | 1 Leaflet Map | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin | |||||
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2022-07-29 | 5.0 MEDIUM | 5.4 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) | |||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2022-07-29 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | |||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2022-07-29 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2022-07-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24683 | 1 Awplife | 1 Weather Effect | 2022-07-29 | 4.3 MEDIUM | 5.4 MEDIUM |
| The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-07-29 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2022-22359 | 1 Ibm | 2 Partner Engagement Manager, Partner Engagement Manager On Cloud\/saas | 2022-07-27 | N/A | 6.5 MEDIUM |
| IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 220652. | |||||
| CVE-2022-29495 | 1 Sygnoos | 1 Popup Builder | 2022-07-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin settings. | |||||
| CVE-2022-29454 | 1 Wordplus | 1 Better Messages | 2022-07-26 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated. | |||||
| CVE-2020-5397 | 2 Oracle, Vmware | 27 Application Testing Suite, Communications Brm - Elastic Charging Engine, Communications Diameter Signaling Router and 24 more | 2022-07-25 | 2.6 LOW | 5.3 MEDIUM |
| Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. | |||||
| CVE-2022-2223 | 1 Ghozylab | 1 Image Slider | 2022-07-25 | N/A | 4.3 MEDIUM |
| The WordPress plugin Image Slider is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1.121 due to failure to properly check for the existence of a nonce in the function ewic_duplicate_slider. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2021-38868 | 1 Ibm | 1 Engineering Requirements Quality Assistant On-premises | 2022-07-25 | N/A | 6.5 MEDIUM |
| IBM Engineering Requirements Quality Assistant On-Premises (All versions) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force Id: 208310. | |||||
| CVE-2022-32289 | 1 Sygnoos | 1 Popup Builder | 2022-07-25 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status change. | |||||
| CVE-2022-30337 | 1 Joomunited | 1 Wp Meta Seo | 2022-07-25 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in JoomUnited WP Meta SEO plugin <= 4.4.8 at WordPress allows an attacker to update the social settings. | |||||
| CVE-2022-2091 | 1 Cache Images Project | 1 Cache Images | 2022-07-18 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. | |||||
| CVE-2022-2144 | 1 Jquery Validation For Contact Form 7 Project | 1 Jquery Validation For Contact Form 7 | 2022-07-18 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack | |||||
| CVE-2022-2123 | 1 Wp Opt-in Project | 1 Wp Opt-in | 2022-07-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. | |||||
| CVE-2022-1957 | 1 Comment License Project | 1 Comment License | 2022-07-15 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Comment License WordPress plugin before 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2022-1956 | 1 Shortcut Macros Project | 1 Shortcut Macros | 2022-07-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Shortcut Macros WordPress plugin through 1.3 does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. | |||||
| CVE-2022-1757 | 1 Pagebar Project | 1 Pagebar | 2022-07-15 | 3.5 LOW | 5.4 MEDIUM |
| The Pagebar WordPress plugin through 2.65 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues | |||||