PT-2023-16747 · WordPress · Oauth Single Sign On Free +3

Name of the Vulnerable Software and Affected Versions: OAuth Single Sign On Free WordPress plugin versions prior to 6.24.2 OAuth Single Sign On Standard WordPress plugin versions prior to 28.4.9 OAuth Single Sign On Premium WordPress plugin versions prior to 38.4.9 OAuth Single Sign On Enterprise...

PT-2023-16308 · WordPress · Hm Portfolio

Name of the Vulnerable Software and Affected Versions: HT Portfolio WordPress plugin versions prior to 1.1.6 Description: The issue concerns a lack of CSRF check when activating plugins, which could allow attackers to make logged-in admins activate arbitrary plugins present on the blog via a CSRF...

CVE-2023-20113

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management...

Cross site request forgery (csrf)

A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer...

Cisco SD-WAN vManage Software XSRF (cisco-sa-vman-csrf-76RDbLEh)

According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an...

Redirection < 1.1.5 - Plugin Reset via CSRF

The plugin does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack. PoC https://example.com/wp-admin/admin-post.php?action=iruninstall...

CVE-2022-3894

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

Cross site request forgery (csrf)

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

CVE-2022-3894 WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF

The WP OAuth Server OAuth Authentication WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack...

User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF

The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access...

Mass Delete Unused Tags < 3.0.0 - Tags Deletion via CSRF

The plugin does not have CSRF checks when deleting tag, which could allow attackers to make logged in admins perform such action via a CSRF attack...

Redirection < 1.1.4 - Redirect Creation via CSRF

The plugin does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. PoC POST /wp-admin/admin-ajax.php HTTP/2 Host: sawcup.s2-tastewp.com Cookie: test=test; User-Agent: useragent Accept: / Accept-Language: en-US,en;q=0.5...

About Me 3000 widget <= 2.2.6 - CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-27295

OpenCATS suffers a Cross-Site Request Forgery due to failure to require CSRF tokens on POST requests. An attacker can create a page that executes JavaScript within an authenticated user’s session. Multiple sources (e.g., CNNVD citing OpenCATS 0.9.6) corroborate the CSRF issue, but no concrete rem...

Preview Link Generator < 1.0.4 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...

Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...

Read More Excerpt Link < 1.6.1 - Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-20011 Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Application Policy Infrastructure Controller APIC and Cisco Cloud Network Controller, formerly Cisco Cloud APIC, could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system...

Admin Block Country <= 7.1.4 - Cross-Site Request Forgery (CSRF)

The plugin does not protect some of its actions in the adminblockcountryinitialpage function against CSRF attacks, allowing an attacker to modify country blocks or methods on their behalf by tricking a logged in administrator to submit a crafted request...

K14812883: BIG-IP ASM XSS vulnerability CVE-2019-6607

Security Advisory Description This is a stored cross-site scripting XSS vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF, which results in code execution as the admin user. CVE-2019-6607 The user levels that can store this atta...