CVE-2024-3472

The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack...

CVE-2024-2405 Float menu < 6.0.1 - Menu Deletion via CSRF

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack...

PT-2024-29345 · Firebase · Firebase-Tools

Name of the Vulnerable Software and Affected Versions: firebase-tools versions prior to 13.6.0 Description: This issue is related to a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint used to export data from running emulators. If a user is running the...

PT-2024-26133 · WordPress · Modal Window

Name of the Vulnerable Software and Affected Versions: The Modal Window WordPress plugin versions prior to 5.3.10 Description: The issue is related to the lack of a CSRF check when bulk deleting modals, which could allow attackers to make a logged-in admin delete them via a CSRF attack...

CVE-2024-3058

The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-2429

The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-2429

CVE-2024-2429 affects the Salon Booking System WordPress plugin (up to 9.6.5). The issue is a missing CSRF check in the plugin’s settings update flow, allowing a logged-in admin to alter settings via CSRF. The Red Hat advisory reiterates this description. Exploitation status is not provided in th...

CVE-2024-2429 Salon booking system <= 9.6.5 - Settings Update via CSRF

The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

PT-2024-23612 · WordPress · Mm-Email2Image

Name of the Vulnerable Software and Affected Versions: MM-email2image WordPress plugin versions 0.2.5 and earlier Description: The issue is related to the lack of CSRF checks in some places and missing sanitization as well as escaping in the MM-email2image WordPress plugin. This could allow...

HL Twitter <= 2014.1.18 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Have a logged in admin open an HTML page containing:...

PT-2024-33781 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 16.1.0 through 16.11.4 GitLab CE/EE versions 17.0.0 through 17.0.2 GitLab CE/EE versions 17.1.0 Description: An issue has been discovered in GitLab CE/EE that allowed for a CSRF attack on GitLab's GraphQL API, leading to...

Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack PoC Make an author or above role open the following HTML:...

Ungallery <= 2.2.4 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Make a logged in admin open an HTML file containing the following: Save Changes...

MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack PoC Make a contributor or higher user open a link where is a valid event:...

Float menu < 6.0.1 - Menu Deletion via CSRF

Description The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. PoC Make a logged in admin open one a page with the code below, this will make them delete the menu with ID 1:...

Modal Window < 5.3.10 - Modal Deletion via CSRF

Description The plugin does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack PoC Have a logged in admin open an HTML file containing where ID is an existing modal: action...

Button Generator < 3.0 - Button Deletion via CSRF

Description The plugin does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack PoC Make a logged in admin open an HTML file containing: action...

Herd Effects < 5.2.7 - Effect Deletion via CSRF

Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks PoC Make a logged in admin open an HTML file where ID is a valid ID: action...

CVE-2024-1315

CVE-2024-1315 affects the Classified Listing – Classified ads & Business Directory Plugin for WordPress. It exploits a CSRF flaw due to missing nonce validation in rtcl_update_user_account, allowing unauthenticated attackers to alter the administrator’s password and email, potentially locking out...

CVE-2024-20368

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack and perform arbitrary actions on an affected device. This vulnerability is due to insufficient CSRF...