CVE-2025-27579

CVE-2025-27579 affects Bitaxe ESP-Miner with AxeOS prior to firmware 2.5.0. The issue is a CSRF vulnerability in the /api/system endpoint that allows an attacker to update the payout address (stratumUser) and modify frequency and voltage settings. The impact is limited to the documented changes t...

CVE-2025-0522 LikeBot – Decentralized like-system <= 0.85 - Admin+ Stored XSS via CSRF

The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2021-39133

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with admin access to the system resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all...

CVE-2019-19979

A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS...

CVE-2024-38523

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to...

CVE-2024-20421

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. This vulnerability is due to...

CVE-2024-13115 WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

PT-2025-2012 · WordPress · Wp Projects Portfolio With Client Testimonials

Name of the Vulnerable Software and Affected Versions: WP Projects Portfolio with Client Testimonials WordPress plugin versions 3.0 and earlier Description: The issue concerns the lack of CSRF check in some places, as well as missing sanitisation and escaping, which could allow attackers to make...

CVE-2024-13096 WP Finance <= 1.3.6 - Stored XSS via CSRF

The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-12280

The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack...

CVE-2024-13057

CVE-2024-13057 affects the Dyn Business Panel WordPress plugin (versions up to 1.0.0). The connected sources describe a missing CSRF check in some areas and lack of input sanitisation/escaping, enabling a logged-in admin to inject Stored XSS via a CSRF attack. The CVE notes this as a Stored Cross...

CVE-2024-13057 Dyn Business Panel <= 1.0.0 - Stored XSS via CSRF

The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-12774 Altra Side Menu <= 2.0 - Abitrary Menu Deletion via CSRF

The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack...

CVE-2025-23749 WordPress mybb Last Topics plugin <= 1.0 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS.This issue affects mybb Last Topics: from n/a through = 1.0...

CVE-2024-12008

The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For exampl...

CVE-2025-22963

Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin...

CVE-2024-51700

CVE-2024-51700 is a cross-site request forgery to stored cross-site scripting vulnerability affecting NAVER Analytics (versions up to 0.9, has been unpatched per ENISA/EUVD entry). Connected EUVD-2024-45791 notes malicious code in NAVER Analytics (PyPI bioql unrelated to NAVER) but reiterates NAV...

CVE-2024-11842

The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-11842

The CVE-2024-11842 entry concerns the DN Shipping by Weight for WooCommerce WordPress plugin prior to version 1.2. The root cause is a missing CSRF check when updating plugin settings, enabling a CSRF attack to modify settings by a logged-in administrator. Impact described: settings changes could...

CVE-2024-11842 DN Shipping by Weight for WooCommerce < 1.2 - Settings Update via CSRF

The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...