CVE-2023-50931

An issue was discovered in savignano S/Notify before 2.0.1 for Bitbucket. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting...

CVE-2023-6532 WP Blogs' Planetarium <= 1.0 - Settings Update via CSRF

The WP Blogs' Planetarium WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

PT-2024-14998 · Wpblog · Wp Blogs' Planetarium Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: WP Blogs' Planetarium WordPress plugin versions 1.0 and earlier Description: The issue is related to the lack of a CSRF check when updating settings in the plugin, which could allow attackers to make a logged-in admin change them via a CSRF...

PT-2024-14015

Name of the Vulnerable Software and Affected Versions savignano S/Notify versions prior to 4.0.2 for Confluence Description An issue was discovered that allows the configuration settings of S/Notify to be modified via a CSRF attack while an administrative user is logged on. This could be initiate...

Spam protection, AntiSpam, FireWall by CleanTalk < 6.21 - Email Update via CSRF

Description The plugin does not have CSRF check in its apbctsettingsupdateaccountemail function, which could allow attackers to make logged in admins update email address via a CSRF attack...

Site Notes <= 2.0.0 - Admin Note Deletion via CSRF

Description The plugin does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks PoC Have an administrator open the following HTML file:...

WordPress Users <= 1.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML with the following and open it when logged in as an Editor or above: document.forms0.submit;...

WP 2FA < 2.6.0 - Arbitrary Email Sending via CSRF

Description The plugin has a flawed CSRF check when sending emails to registered users, which could allow attackers to make logged in admins perform such action via a CSRF attack...

CVE-2023-6689

A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application...

CVE-2023-6689

CVE-2023-6689 affects EFACEC BCU 500 (automation/control device). The CSRF vulnerability could force state-changing requests, potentially compromising the web application when the victim is an administrative account. Public sources (CISA ICS advisory ICSA-23-353-02) outline affected product/versi...

CVE-2023-45316

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/ as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack...

CVE-2023-45316 Reflected client side path traversal leading to CSRF in Playbooks

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/ as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack...

CVE-2023-45316

Mattermost is affected by a path traversal CSRF vulnerability in the Playbooks telemetry endpoint. The issue arises from insufficient validation of a relative path passed to /plugins/playbooks/api/v0/telemetry/run/, enabling an attacker to craft a path traversal payload that points to a different...

CVE-2023-45316 Reflected client side path traversal leading to CSRF in Playbooks

Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/ as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack...

Chat Bubble <= 2.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-47870

Cross-Site Request Forgery CSRF, Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6...

Korea SNS <= 1.6.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

DeepL Pro API translation < 2.4.1.2 - Log Pruning via CSRF

Description The plugin does not have CSRF checks when pruning logs, which could allow attackers to make logged in admins perform such action via a CSRF attack...

CVE-2023-4824

The WooHoo Newspaper Magazine theme does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

Cross site request forgery (csrf)

The WooHoo Newspaper Magazine theme does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...