Ozette Plugins - Cross-Site Request Forgery

An attacker can update, create, and remove the site's mobile redirects via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. id: CVE-2023-23897 info: name: Ozette Plugins - Cross-Site Request Forgery author: popcorn94 severity: medi...

CVE-2026-57295

A cross-site request forgery CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins...

CVE-2026-57290

A cross-site request forgery CSRF vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b84449 and earlier allows attackers to overwrite the global job priority configuration...

EUVD-2026-38669

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

CVE-2026-10552

The CVE-2026-10552 entry concerns the WordPress plugin Blue Captcha (versions up to 2.0.1). It documents a Cross-Site Request Forgery (CSRF) flaw caused by missing or incorrect nonce validation on the main admin page (blcap_main_page) and on Hall of Shame and Log subpages. These pages accept a bl...

EUVD-2026-38665

The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordeskadminhome function. This makes it possible for unauthenticated attackers to update the plugin's...

CVE-2026-9721

CVE-2026-9721 affects the Book a Room Event Calendar plugin for WordPress (versions up to 1.9). The vulnerability is a Cross-Site Request Forgery due to missing nonce validation on the settings_form()/update_settings() flow. The plugin’s settings page accepts POST actions and persists configurati...

CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...

PT-2026-51678

Name of the Vulnerable Software and Affected Versions MP Customize Login Page versions prior to 1.1 Description The MP Customize Login Page plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a logged-in user into performing unwanted actions. The...

WordPress Osiris Signature Banner plugin <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Osiris Signature Banner versions = 0.5...

CVE-2026-53663 React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass

React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...

CVE-2026-7859

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...

EUVD-2026-38214

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...

EUVD-2026-38025

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

CVE-2026-49871

CVE-2026-49871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations in Apache APISIX versions 3.0.0–3.16.0. The issue allows a remote attacker who can lure a victim to a controlled webpage to cause the victim’s browser to become authentic...

CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

CVE-2026-10034

The CVE concerns the WordPress plugin WP DSGVO Tools (GDPR) with versions up to and including 3.1.39. The core issue is improper authorization verification on the subject-access-request (SAR) AJAX endpoints (process_now and is_ajax), enabling unauthenticated attackers to supply a victim email and...

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

CVE-2016-20083 WordPress More Fields Plugin 2.1 Cross-Site Request Forgery

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

CVE-2016-20074 WordPress Lazy Content Slider Plugin 3.4 CSRF

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via...