Total
8298 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60169 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in W3S Cloud Technology W3SCloud Contact Form 7 to Zoho CRM allows Stored XSS. This issue affects W3SCloud Contact Form 7 to Zoho CRM: from n/a through 3.0. | |||||
| CVE-2025-60093 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager allows Cross Site Request Forgery. This issue affects Download Manager: from n/a through 3.3.24. | |||||
| CVE-2025-10377 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-58914 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2. | |||||
| CVE-2025-10752 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-60113 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in grooni Groovy Menu allows Cross Site Request Forgery. This issue affects Groovy Menu: from n/a through 1.4.3. | |||||
| CVE-2025-60170 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0. | |||||
| CVE-2025-60139 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Joovii Sendle Shipping allows Cross Site Request Forgery. This issue affects Sendle Shipping: from n/a through 6.02. | |||||
| CVE-2025-60171 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through 1.2.10. | |||||
| CVE-2025-60164 | 2025-09-26 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in NewsMAN NewsmanApp allows Stored XSS. This issue affects NewsmanApp: from n/a through 2.7.7. | |||||
| CVE-2025-8711 | 1 Ivanti | 4 Connect Secure, Neurons For Secure Access, Policy Secure and 1 more | 2025-09-24 | N/A | 5.4 MEDIUM |
| CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute limited actions on behalf of the victim user. User interaction is required. | |||||
| CVE-2025-55147 | 1 Ivanti | 4 Connect Secure, Neurons For Secure Access, Policy Secure and 1 more | 2025-09-24 | N/A | 8.8 HIGH |
| CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute sensitive actions on behalf of the victim user. User interaction is required | |||||
| CVE-2022-2355 | 1 Easy Username Updater Project | 1 Easy Username Updater | 2025-09-24 | N/A | 6.5 MEDIUM |
| The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin | |||||
| CVE-2024-41795 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This could allow an unauthenticated attacker to change arbitrary device settings by tricking a legitimate device administrator to click on a malicious link. | |||||
| CVE-2025-9949 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-9882 | 2025-09-22 | N/A | 6.1 MEDIUM | ||
| The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-9887 | 2025-09-22 | N/A | 4.3 MEDIUM | ||
| The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-43809 | 2025-09-22 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter. | |||||
| CVE-2025-9883 | 2025-09-22 | N/A | 6.1 MEDIUM | ||
| The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-57918 | 2025-09-22 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in ERA404 LinkedInclude allows Stored XSS. This issue affects LinkedInclude: from n/a through 3.0.4. | |||||