CVE-2023-2601

The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF...

CVE-2022-29903

The Private Domains extension for MediaWiki through 1.37.2 before 1ad65d4c1c199b375ea80988d99ab51ae068f766 allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains...

CVE-2021-25011

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...

CVE-2020-19889

DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF for index.php?dbhcmspid=-70 can add a user...

CVE-2020-15516

The mmforum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via CSRF...

CVE-2020-14414

NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload any system commands that contains shell metacharacters via a POST request with a pw parameter. This can also be...

CVE-2020-35773

The site-offline plugin before 1.4.4 for WordPress lacks certain wpcreatenonce and wpverifynonce calls, aka CSRF...

CVE-2019-13364

admin.php?page=accountbilling in Piwigo 2.9.5 has XSS via the vatnumber, billingname, company, or billingaddress parameter. This is exploitable via CSRF...

CVE-2019-13363

admin.php?page=notificationbymail in Piwigo 2.9.5 has XSS via the nbmsendhtmlmail, nbmsendmailas, nbmsenddetailedcontent, nbmcomplementarymailcontent, nbmsendrecentpostdates, or paramsubmit parameter. This is exploitable via CSRF...

CVE-2017-15645

CSRF exists in Webmin 1.850. By sending a GET request to at/createjob.cgi containing dir=/= in the URI, an attacker to execute arbitrary commands...

CVE-2015-9421

The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omscpopup id parameter...

PT-2025-21381 · WordPress · The Ultimate Noindex Nofollow Tool

Name of the Vulnerable Software and Affected Versions: The Ultimate Noindex Nofollow Tool WordPress plugin versions 1.1.2 and earlier Description: The issue concerns a lack of CSRF check when updating settings, which could allow attackers to make a logged-in admin change them via a CSRF attack...

📄 GestioIP 3.5.7 Cross Site Request Forgery

GestioIP version 3.5.7 suffers from a cross site request forgery vulnerability. Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery CSRF Exploit Author: m4xth0r Maximiliano Belino Author website: https://maxibelino.github.io/ Author email : max.cybersecurity a...

Exploit for CVE-2025-25101

🚀 CVE-2025-25101 - WordPress Munk Sites Plugin CSR...

appRain CMF 4.0.5 Shell Upload

appRain CMF version 4.0.5 proof of concept shell upload exploit that leverages a vulnerability originally found in 2024. ============================================================================================================================================= | Title : appRain CMF 4.0.5 shell...

CVE-2025-22963

Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin...

KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open an HTML file containing where is a valid ID: "...

SOPlanning 1.52.00 SQL Injection

Exploit Title: SOPlanning v1.52.00 'projets.php' SQLi Application: SOPlanning Version: 1.52.00 Date: 4/22/24 Exploit Author: Joseph McPeters Liquidsky Vendor Homepage: https://www.soplanning.org/en/ Software Link: https://sourceforge.net/projects/soplanning/ Tested on: Linux CVE: Not yet assigned...

SOPlanning 1.52.00 SQL Injection Vulnerability

Exploit Title: SOPlanning v1.52.00 'projets.php' SQLi Application: SOPlanning Version: 1.52.00 Exploit Author: Joseph McPeters Liquidsky Vendor Homepage: https://www.soplanning.org/en/ Software Link: https://sourceforge.net/projects/soplanning/ Tested on: Linux CVE: Not yet assigned Description:...

reCAPTCHA Jetpack <= 0.2.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML page containing:...