GHSA-PH84-R98X-2J22 Admidio has Missing CSRF Protection on Registration Approval Actions

Summary The createuser, assignmember, and assignuser action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the deleteuser mode in the same file which correctly validates the token, these three approval actions read thei...

CVE-2026-34384

Admidio is an open-source user management solution. Prior to version 5.0.8, the createuser, assignmember, and assignuser action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the deleteuser mode in the same file which...

CVE-2026-34384

Admidio vulnerability CVE-2026-34384: Before 5.0.8, the approval modes create_user, assign_member, and assign_user in modules/registration.php accepted GET-based requests with no CSRF validation, allowing an attacker with a pending registration and a rol_approve_users right to auto-approve or mer...

CVE-2026-34384 Admidio: Missing CSRF Protection on Registration Approval Actions

Admidio is an open-source user management solution. Prior to version 5.0.8, the createuser, assignmember, and assignuser action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the deleteuser mode in the same file which...

CVE-2025-2797 Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'wofficehandleuserapprovalactions' function. This makes it possible for unauthenticated attackers to approve...

CVE-2014-3850

Cross-site request forgery CSRF vulnerability in the Member Approval plugin 131109 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings to their default and disable registration approval via a request to...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in the Member Approval plugin 131109 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings to their default and disable registration approval via a request to...