Search Results (8771 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-1342 1 Rapidload 1 Rapidload Power-up For Autoptimize 2026-02-20 4.3 Medium
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ucss_connect function. This makes it possible for unauthenticated attackers to connect the site to a new license key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-1341 1 Rapidload 1 Rapidload Power-up For Autoptimize 2026-02-20 4.3 Medium
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ajax_deactivate function. This makes it possible for unauthenticated attackers to turn off caching via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-1340 1 Rapidload 1 Rapidload Power-up For Autoptimize 2026-02-20 4.3 Medium
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the clear_uucss_logs function. This makes it possible for unauthenticated attackers to clear plugin logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-55089 1 Rhymix 1 Rhymix 2026-02-20 4.1 Medium
Rhymix before 2.1.24 is vulnerable to Server-Side Request Forgery (SSRF) in the background import data function because XML documents may contain external entities.
CVE-2026-25322 2 Publishpress, Wordpress 2 Publishpress Revisions, Wordpress 2026-02-20 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.22.
CVE-2020-37158 2 Avideo, Wwbn 2 Avideo Platform, Avideo 2026-02-20 5.3 Medium
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
CVE-2026-26317 1 Openclaw 2 Clawdbot, Openclaw 2026-02-20 7.1 High
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
CVE-2020-37096 1 Edimax 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware 2026-02-20 5.3 Medium
Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent.
CVE-2026-25319 2 Wordpress, Wpzita 2 Wordpress, Zita Elementor Site Library 2026-02-20 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.
CVE-2026-25337 2 Wordpress, Wpcoachify 2 Wordpress, Coachify 2026-02-20 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5.
CVE-2026-25411 2 Themastercut, Wordpress 2 Revision Manager Tmc, Wordpress 2026-02-20 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22.
CVE-2026-25422 2 Themes4wp, Wordpress 2 Popularis Extra, Wordpress 2026-02-20 N/A
Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10.
CVE-2026-27050 2 Thimpress, Wordpress 2 Realpress, Wordpress 2026-02-20 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through <= 1.1.0.
CVE-2026-27090 2 Wordpress, Wp Moose 2 Wordpress, Kenta Companion 2026-02-20 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.
CVE-2026-1455 2 Whatsiplus, Wordpress 2 Whatsiplus Scheduled Notification For Woocommerce, Wordpress 2026-02-19 4.3 Medium
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-13982 2 Drupal, Innoraft 2 Login Time Restriction, Login Time Restriction 2026-02-19 8.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3.
CVE-2019-25359 1 Sitzungsdienst 1 Sd.net Rim 2026-02-19 8.2 High
SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/ endpoint, enabling unauthorized database manipulation and potential information disclosure.
CVE-2018-17366 1 Mingsoft 1 Mcms 2026-02-19 N/A
An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
CVE-2025-12172 2 Mailchimp, Wordpress 2 Mailchimp List Subscribe Form, Wordpress 2026-02-19 4.3 Medium
The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-12821 2 Spicethemes, Wordpress 2 Newsblogger, Wordpress 2026-02-19 8.8 High
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.