EUVD-2016-10873

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

Nodcms contains a cross-site request forgery vulnerability

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

CVE-2016-20054

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

CVE-2026-5251

A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch...

CVE-2026-5251 z-9527 admin User Update Endpoint user.js dynamically-determined object attributes

A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch...

CVE-2025-58097

The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege...

CVE-2024-10726

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...

CVE-2023-1604

The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configurationpage function. This makes it possible for unauthenticated attackers to add and import redirects, includi...

Cross Site Request Forgery (CSRF)

concrete5/concrete5 is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the sequential and numeric nature of event IDs via /ccm/calendar/dialogs/event/delete/submit endpoint, allowing an attacker to manipulate an admin into unintentionally deleting events on the site...

WordPress Plugin Jetpack CRM Code Issue Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

Provide Server 14.4 XSS / Cross Site Request Forgery / Code Execution

Provide Server v. 14.4 CVE-2023-23286 Vulnerabilities: CWE-79: Improper Neutralization of Input During Web Page Generation Unauthenticated stored XSS in server-log delivered via username field from login-form CWE-352: Cross-Site Request Forgery CSRF-token exposed in javascript, making it possible...

CVE-2022-4553

The CVE-2022-4553 entry concerns the WordPress plugin FL3R FeelBox (

WordPress plugin Custom 404 Pro 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on servers running PHP and MySQL. A cross-site request forgery vulnerability...

Admin can drain user funds from the Pool or buy assets for free

Lines of code Vulnerability details Impact We assume that the admin is honest, however there is still possibility of exploiting asset policy contract to and set price to 0 in oder to buy an asset for free - or even worse - drain user funds by setting the price really high in...

Admin can prevent deposits by manipulating timewindow

Lines of code Vulnerability details Impact The protocol is open to an administrator's maliciousness. Proof of Concept As we can see in this line, the contracts in this project has some sanity checks even for admin only calls. However, the administrator is free to change a hedge/risk pair timewind...

CVE-2022-1780

The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping...

Arbitrary fees

Lines of code Vulnerability details Impact Function transferBribes has a parameter named fees. Essentially, it allows an admin to apply any arbitrary fees and send them to the feeRecipient. This makes no sense because admins can manipulate the amounts however they want with 0 restrictions. I see...

CVE-2022-22810

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk V2.6.2 and prior, Wiser for KNX formerly homeLYnk V2.6.2 and prior, fellerLYn...

Authentication flaw

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk V2.6.2 and prior, Wiser for KNX formerly homeLYnk V2.6.2 and prior, fellerLYn...

PT-2021-15921 · WordPress · Vikrentcar Car Rental Management System

Name of the Vulnerable Software and Affected Versions: VikRentCar Car Rental Management System WordPress plugin versions prior to 1.1.7 Description: The issue is related to a stored Cross-Site Scripting problem. It arises because the field name in the custom field option is not properly sanitised...