CM Download Manager < 2.9.0 - Download Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack Make an admin open the URL below https://example.com/cmdownload/del/id/...

PT-2024-15227 · WordPress · Fatal Error Notify

Name of the Vulnerable Software and Affected Versions: Fatal Error Notify WordPress plugin versions prior to 1.5.3 Description: The issue affects the test error AJAX action in the Fatal Error Notify WordPress plugin, which lacks authorisation and CSRF checks. This allows any authenticated users,...

lasTunes <= 3.6.1 - Settings Update via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack ' ' document.forms0...

Lock User Account < 1.0.4- Arbitrary Account Lock/Unlock via CSRF

Description The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5...

CVE-2023-34839

A Cross Site Request Forgery CSRF vulnerability in Issabel issabel-pbx v.4.0.0-6 allows a remote attacker to gain privileges via a Custom CSRF exploit to create new user function in the application...

Side Cart Woocommerce < 2.2 - Settings Reset via CSRF

The plugin does not have CSRF check when reseting its Settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes...

Clock In Portal <= 2.1 - Designation Deletion via CSRF

The plugin does not have CSRF check when deleting designations, which could allow attackers to make logged in admins delete arbitrary designations via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Designation with ID 2...

Clock In Portal <= 2.1 - Holidays Deletion via CSRF

The plugin does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Holiday with ID 1...

Redirection < 1.1.5 - Plugin Reset via CSRF

The plugin does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack. https://example.com/wp-admin/admin-post.php?action=iruninstall...

WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF

The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...

CVE-2022-4621 Panasonic Sanyo CCTV Network Camera

Panasonic Sanyo CCTV Network Cameras versions 1.02-05 and 2.03-0x are vulnerable to CSRFs that can be exploited to allow an attacker to perform changes with administrator level privileges...

CVE-2022-3926 WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF

The WP OAuth Server OAuth Authentication WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID...

openSUSE 15 Security Update : phpPgAdmin (openSUSE-SU-2022:10065-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2022:10065-1 advisory. - phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such...

CaPa Protect <= 0.5.8.2 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection. HTMLFormElement.prototype.submit.call document.getElementById"test" ;...

Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF

The plugin does not have CSRF checks in place when deleting comments either all, spam, or pending, allowing attackers to make a logged in admin delete comments via a CSRF attack To delete all comments document.getElementById"test".submit; document.getElementById"test".submit;...

Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF

The plugin does not have CSRF in place when deleting and activating games, which could allow attacker to make a logged in admin perform such actions...

VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack XSS will be triggered in...

Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF

The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries&action=trash&entry=2 Since entry permanent deletion:...

WP-Matomo Integration (WP-Piwik) < 1.0.27 - Plugin Settings Reset via CSRF

The plugin does not have CSRF when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack https://example.com/wp-admin/options-general.php?page=wp-piwik%2Fclasses%2FWPPiwik.php&clear=2...

Mageia: Security Advisory (MGASA-2021-0074)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...