Medium
CVE-2016-10962
The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.
Tag: Cross-Site Request Forgery (CSRF)
All CVEs associated with "Cross-Site Request Forgery (CSRF)". Page 60/80 • 9568 CVEs.
Subscribe CVEs: RSS for “Cross-Site Request Forgery (CSRF)” · RSS (High+Critical only)
About “Cross-Site Request Forgery (CSRF)”
A curated feed of “Cross-Site Request Forgery (CSRF)”-related CVEs appears below. We currently track 9568 CVEs for this tag (all time). In the last 365 days, 1403 were published. Average CVSS is 6.4 (all time; 5.6 over 365d), and 37% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-352 - Cross-Site Request Forgery (CSRF), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization.
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2019-09-16
Medium
CVE-2016-10959
The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.
2019-09-14
High
CVE-2019-16311
NIUSHOP V1.11 has CSRF via search_info to index.php.
2019-09-13
Medium
CVE-2019-13920
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. T…
Critical
CVE-2019-13364
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
Critical
CVE-2019-13363
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail…
Medium
CVE-2019-12922
A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.
High
CVE-2016-10946
The wp-d3 plugin before 2.4.1 for WordPress has CSRF.
High
CVE-2016-10945
The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.
High
CVE-2016-10944
The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.
Critical
CVE-2016-10942
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
Medium
CVE-2016-10941
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.
Medium
CVE-2016-10938
The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location.
2019-09-12
High
CVE-2019-5993
Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecif…
High
CVE-2019-5992
Cross-site request forgery (CSRF) vulnerability in WordPress Ultra Simple Paypal Shopping Cart v4.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified…
High
CVE-2019-5986
Cross-site request forgery (CSRF) vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/R…
2019-09-11
High
CVE-2019-1261
A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an…
High
CVE-2019-1259
A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an…
Medium
CVE-2019-14998
The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a…
2019-09-10
High
CVE-2017-18607
The avada theme before 5.1.5 for WordPress has CSRF.
2019-09-09
High
CVE-2019-16187
Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script.
Medium
CVE-2019-10253
A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace…
2019-09-08
High
CVE-2019-16099
Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows CSRF via JSON data to a .swf file.
2019-09-06
Medium
CVE-2019-15128
iF.SVNAdmin through 1.6.2 allows svnadmin/usercreate.php CSRF to create a user.
High
CVE-2019-16059
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.
2019-09-03
High
CVE-2019-15868
The affiliates-manager plugin before 2.6.6 for WordPress has CSRF.
High
CVE-2019-15865
The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has CSRF.
2019-08-30
High
CVE-2019-15841
The facebook-for-woocommerce plugin before 1.9.15 for WordPress has CSRF via ajax_woo_infobanner_post_click, ajax_woo_infobanner_post_xout, or ajax_fb_toggle_visibility.
High
CVE-2019-15840
The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF.
High
CVE-2019-15835
The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF.
High
CVE-2019-15834
The webp-converter-for-media plugin before 1.0.3 for WordPress has CSRF.
High
CVE-2019-15832
The visitors-traffic-real-time-statistics plugin before 1.13 for WordPress has CSRF.
High
CVE-2019-15831
The visitors-traffic-real-time-statistics plugin before 1.12 for WordPress has CSRF in the settings page.
High
CVE-2019-15828
The one-click-ssl plugin before 1.4.7 for WordPress has CSRF.
High
CVE-2015-9380
The photo-gallery plugin before 1.2.42 for WordPress has CSRF.
2019-08-29
High
CVE-2019-15781
The facebook-by-weblizar plugin before 2.8.5 for WordPress has CSRF.
High
CVE-2019-15769
The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via add_option and update_option.
2019-08-28
Medium
CVE-2019-10057
Various Lexmark products have CSRF.
High
CVE-2019-15496
MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a sp…
High
CVE-2019-10384
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass C…
2019-08-27
High
CVE-2019-11457
Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documen…
High
CVE-2019-15660
The wp-members plugin before 3.2.8 for WordPress has CSRF.
High
CVE-2019-15645
The zoho-salesiq plugin before 1.0.9 for WordPress has CSRF.
High
CVE-2018-21006
The bbp-move-topics plugin before 1.1.6 for WordPress has CSRF.
High
CVE-2018-21002
The js-support-ticket plugin before 2.0.6 for WordPress has CSRF.
High
CVE-2015-9343
The wp-rollback plugin before 1.2.3 for WordPress has CSRF.
2019-08-26
Medium
CVE-2019-15515
Discourse 2.3.2 sends the CSRF token in the query string.
2019-08-23
Medium
CVE-2019-8447
The ServiceExecutor resource in Jira before version 8.3.2 allows remote attackers to trigger the creation of export files via a Cross-site request forgery (CSRF) vulnerability.
Medium
CVE-2019-14999
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers t…
Medium
CVE-2019-11589
The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in so…
Medium
CVE-2019-11588
The ViewSystemInfo class doGarbageCollection method in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to trig…
Medium
CVE-2019-11587
Various exposed resources of the ViewLogging class in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allow remote attackers to modify…
Medium
CVE-2019-11586
The AddResolution.jspa resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to create new resolutions v…
High
CVE-2019-15491
openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21.
2019-08-22
High
CVE-2019-15329
The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has CSRF.
Medium
CVE-2014-10382
The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment.
High
CVE-2016-10918
The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.
2019-08-21
High
CVE-2019-13477
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, CSRF in the forgot password function allows an attacker to change the password for the root account.
High
CVE-2019-12624
A vulnerability in the web-based management interface of Cisco IOS XE New Generation Wireless Controller (NGWC) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery…
High
CVE-2017-18521
The democracy-poll plugin before 5.4 for WordPress has CSRF via wp-admin/options-general.php?page=democracy-poll&subpage=l10n.
High
CVE-2016-10903
The GoDaddy godaddy-email-marketing-sign-up-forms plugin before 1.1.3 for WordPress has CSRF.
High
CVE-2016-10902
The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in the admin tools.
2019-08-20
Medium
CVE-2019-4167
IBM StoredIQ 7.6.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force…
High
CVE-2019-4117
IBM Cloud Private 3.1.1 and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trus…
High
CVE-2017-18523
The eelv-newsletter plugin before 4.6.1 for WordPress has CSRF in the address book.
High
CVE-2019-15238
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
High
CVE-2017-18569
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF.
High
CVE-2016-10915
The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.
High
CVE-2016-10914
The add-from-server plugin before 3.3.2 for WordPress has CSRF for importing a large file.
Medium
CVE-2015-9332
The uninstall plugin before 1.2 for WordPress has CSRF to delete all tables via the wp-admin/admin-ajax.php?action=uninstall URI.
High
CVE-2014-10381
The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.
High
CVE-2011-5328
The user-access-manager plugin before 1.2 for WordPress has CSRF.
High
CVE-2019-15229
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially craft…
2019-08-19
High
CVE-2019-15150
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
2019-08-16
High
CVE-2019-15115
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
High
CVE-2019-15114
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
High
CVE-2019-15113
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
High
CVE-2018-20974
The js-jobs plugin before 1.0.7 for WordPress has CSRF.
High
CVE-2018-20972
The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.
High
CVE-2018-20971
The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.
High
CVE-2017-18547
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.
High
CVE-2017-18546
The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF.
High
CVE-2017-18544
The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF.
High
CVE-2015-9322
The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.
2019-08-15
High
CVE-2019-13516
In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.
2019-08-14
High
CVE-2019-15062
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could…
High
CVE-2019-14526
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefor…
High
CVE-2019-14216
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads…
High
CVE-2018-20968
The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.
High
CVE-2018-20967
The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
High
CVE-2017-18513
The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface.
High
CVE-2017-18512
The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.
High
CVE-2017-18511
The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.
High
CVE-2017-18510
The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.
High
CVE-2016-10885
The wp-editor plugin before 1.2.6 for WordPress has CSRF.
High
CVE-2016-10884
The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.
Medium
CVE-2016-10883
The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users.
High
CVE-2016-10882
The google-document-embedder plugin before 2.6.2 for WordPress has CSRF.
High
CVE-2015-9309
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.
High
CVE-2015-9308
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.
High
CVE-2015-9307
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.
High
CVE-2013-7476
The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.
2019-08-13
High
CVE-2019-11207
The web server component of TIBCO Software Inc.'s TIBCO LogLogic Enterprise Virtual Appliance, and TIBCO LogLogic Log Management Intelligence contains multiple vulnerabilities that theoretically allo…
High
CVE-2018-20964
The contact-form-to-email plugin before 1.2.66 for WordPress has CSRF.
2019-08-12
High
CVE-2017-18504
The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF.
High
CVE-2016-10876
The wp-database-backup plugin before 4.3.1 for WordPress has CSRF.
High
CVE-2016-10874
The wp-database-backup plugin before 4.3.3 for WordPress has CSRF.
2019-08-11
High
CVE-2019-14933
Bagisto 0.1.5 allows CSRF under /admin URIs.
2019-08-09
Medium
CVE-2016-10865
The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.
2019-08-08
Medium
CVE-2017-18485
Cognitoys Dino devices allow profiles_add.html CSRF.
High
CVE-2016-10863
Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure.
High
CVE-2015-9292
6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).
Medium
CVE-2019-14683
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.
Medium
CVE-2019-14682
The acf-better-search (aka ACF: Better Search) plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbs_admin_page CSRF.
High
CVE-2019-14681
The Deny All Firewall plugin before 1.1.7 for WordPress allows wp-admin/options-general.php?page=daf_settings&daf_remove=true CSRF.
Medium
CVE-2019-14680
The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.
Medium
CVE-2019-14679
core/views/arprice_import_export.php in the ARPrice Lite plugin 2.2 for WordPress allows wp-admin/admin.php?page=arplite_import_export CSRF.
High
CVE-2019-1958
A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected…
2019-08-07
Medium
CVE-2019-10388
A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specif…
High
CVE-2019-10386
A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attac…