10292 matches found
CVE-2026-53663 React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...
CVE-2026-7859
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...
EUVD-2026-38214
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...
Ozette Plugins - Cross-Site Request Forgery
An attacker can update, create, and remove the site's mobile redirects via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. id: CVE-2023-23897 info: name: Ozette Plugins - Cross-Site Request Forgery author: popcorn94 severity: medi...
CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue
Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...
EUVD-2026-38025
Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...
CVE-2026-49871
The CVE-2026-49871 entry describes a CSRF vulnerability in the cas-auth plugin under default configurations, affecting Apache APISIX releases 3.0.0 through 3.16.0. A remote attacker who can lure a victim to a controlled webpage can cause the victim’s browser to be authenticated as a different ide...
CVE-2026-10034
The CVE concerns the WordPress plugin WP DSGVO Tools (GDPR) with versions up to and including 3.1.39. The core issue is improper authorization verification on the subject-access-request (SAR) AJAX endpoints (process_now and is_ajax), enabling unauthenticated attackers to supply a victim email and...
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...
CVE-2016-20083 WordPress More Fields Plugin 2.1 Cross-Site Request Forgery
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...
CVE-2016-20074 WordPress Lazy Content Slider Plugin 3.4 CSRF
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via...
CVE-2026-54359
The CVE-2026-54359 entries describe an insecure default in MISP where Security.check_sec_fetch_site_header is disabled, allowing CSRF-like abuse where a remote unauthenticated attacker could induce an authenticated user’s browser to issue state-changing requests (POST/PUT/AJAX) to MISP automation...
GHSA-WXQ7-X3QP-VCR8 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Summary The buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts share the same structural root cause as the recently patched CVE-2026-31816: route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the...
WordPress WP eCommerce plugin <= 3.15.1 - Coupon Deletion via CSRF vulnerability
Coupon Deletion via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin WP eCommerce versions = 3.15.1...
PT-2026-48640
Cross-Site request forgery CSRF vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10...
WordPress WP Migrate Lite plugin <= 2.7.8 - Cross Site Request Forgery (CSRF) vulnerability
Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WP Migrate Lite versions = 2.7.8...
CVE-2025-58468
CVE-2025-58468—Notification Center describes a cross-site request forgery (CSRF) vulnerability that could allow remote attackers to gain privileges or hijack user identities. The advisory states the issue is fixed in Notification Center version 1.10.0.3291 and later. From the connected records, n...
CVE-2026-8904
The FastPicker, an order picker and order management system oms for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes i...
CVE-2026-8910
The CVE refers to the WordPress plugin WP Emoticon Rating (versions
EUVD-2026-35300
The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...