Total
8797 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14354 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.3 Medium |
| The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14161 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.3 Medium |
| The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-36690 | 1 Vibethemes | 1 Wordpress Learning Management System | 2025-12-15 | 8.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in VibeThemes WPLMS theme <= 4.900 versions. | ||||
| CVE-2025-12407 | 2 Netweblogic, Wordpress | 2 Events Manager, Wordpress | 2025-12-14 | 4.3 Medium |
| The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14159 | 2 Ays-pro, Wordpress | 2 Secure Copy Content Protection And Content Locking, Wordpress | 2025-12-14 | 4.3 Medium |
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated. | ||||
| CVE-2025-58014 | 2 Ays-pro, Wordpress | 2 Quiz Maker, Wordpress | 2025-12-12 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker allows Cross Site Request Forgery. This issue affects Quiz Maker: from n/a through 6.7.0.61. | ||||
| CVE-2025-14160 | 1 Wordpress | 1 Wordpress | 2025-12-12 | 4.3 Medium |
| The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13987 | 1 Wordpress | 1 Wordpress | 2025-12-12 | 4.3 Medium |
| The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-62245 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-12 | 4.3 Medium |
| Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments. | ||||
| CVE-2025-10930 | 2 2bits, Drupal | 3 Currency, Currency, Drupal | 2025-12-12 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0. | ||||
| CVE-2025-14062 | 1 Wordpress | 1 Wordpress | 2025-12-12 | 4.3 Medium |
| The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-67646 | 1 Telepedia | 1 Tableprogresstracking | 2025-12-12 | 3.5 Low |
| TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the extension enabled, would trigger unintended authenticated actions through the victim's browser. Due to the lack of token validation, an attacker can delete or track progress against tables. This issue is patched in version 1.2.1 of the extension. | ||||
| CVE-2024-43192 | 1 Ibm | 5 Diamondback Tape Library, Diamondback Tape Library Firmware, Storage Ts4500 Library and 2 more | 2025-12-11 | 6.5 Medium |
| IBM Storage TS4500 Library 1.11.0.0 and 2.11.0.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | ||||
| CVE-2024-36076 | 1 Syslifters | 1 Sysreptor | 2025-12-11 | 8.8 High |
| Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to version 2024.30 causes attackers to escalate privileges and obtain sensitive information when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session. | ||||
| CVE-2025-65962 | 1 Enalean | 1 Tuleap | 2025-12-10 | 4.6 Medium |
| Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9. | ||||
| CVE-2025-64498 | 1 Enalean | 1 Tuleap | 2025-12-10 | 4.6 Medium |
| Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10. | ||||
| CVE-2025-64499 | 1 Enalean | 1 Tuleap | 2025-12-10 | 4.6 Medium |
| Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10. | ||||
| CVE-2025-64760 | 1 Enalean | 1 Tuleap | 2025-12-10 | 4.6 Medium |
| Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8. | ||||
| CVE-2023-22675 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery.This issue affects WP Fast Cache: from n/a through 1.5. | ||||
| CVE-2025-13924 | 3 Maartenbelmans, Woocommerce, Wordpress | 3 Advanced Product Fields Product Addons For Woocommerce, Woocommerce, Wordpress | 2025-12-10 | 4.3 Medium |
| The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the 'maybe_duplicate' function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||