Total
4535 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34373 | 2023-06-19 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions. | |||||
| CVE-2023-2277 | 1 Wpdirectorykit | 1 Wp Directory Kit | 2023-06-16 | N/A | 4.7 MEDIUM |
| The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-1807 | 1 Staxwp | 1 Stax | 2023-06-16 | N/A | 4.3 MEDIUM |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers to enable or disable Elementor widgets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-31200 | 1 Ptc | 1 Vuforia Studio | 2023-06-16 | N/A | 8.0 HIGH |
| PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site request forgery attack or a replay attack. | |||||
| CVE-2023-2285 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2023-06-16 | N/A | 4.3 MEDIUM |
| The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2286 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2023-06-16 | N/A | 4.3 MEDIUM |
| The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2599 | 1 Miniorange | 1 Active Directory Integration \/ Ldap Integration | 2023-06-15 | N/A | 6.5 MEDIUM |
| The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to cause resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2087 | 1 Wpdeveloper | 1 Essential Blocks | 2023-06-15 | N/A | 4.3 MEDIUM |
| The Essential Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.6. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2067 | 1 Bulletin | 1 Announcement \& Notification Banner - Bulletin | 2023-06-15 | N/A | 5.4 MEDIUM |
| The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings', 'bulletinwp_update_status', 'bulletinwp_export_bulletins', and 'bulletinwp_import_bulletins' functions in versions up to, and including, 3.7.0. This makes it possible for unauthenticated attackers to modify the plugin's settings, modify bulletins, create new bulletins, and more, via a forged request granted they can trick a site's user into performing an action such as clicking on a link. | |||||
| CVE-2023-25055 | 2023-06-15 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Amit Agarwal Google XML Sitemap for Videos plugin <= 2.6.1 versions. | |||||
| CVE-2023-27634 | 2023-06-15 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability allows arbitrary file upload in Shingo Intrepidity plugin <= 1.5.1 versions. | |||||
| CVE-2023-25450 | 2023-06-15 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1 versions. | |||||
| CVE-2023-23802 | 2023-06-15 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in HasThemes HT Easy GA4 ( Google Analytics 4 ) plugin <= 1.0.6 versions. | |||||
| CVE-2023-2526 | 1 Supsystic | 1 Easy Google Maps | 2023-06-15 | N/A | 5.4 MEDIUM |
| The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-25449 | 2023-06-15 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions. | |||||
| CVE-2023-0292 | 1 Expresstech | 1 Quiz And Survey Master | 2023-06-14 | N/A | 8.1 HIGH |
| The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2020-36707 | 1 Wpconcern | 1 Coming Soon \& Maintenance Mode Page | 2023-06-14 | N/A | 8.8 HIGH |
| The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-0729 | 1 Wickedplugins | 1 Wicked Folders | 2023-06-14 | N/A | 4.3 MEDIUM |
| The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_save_sort_order function. This makes it possible for unauthenticated attackers to invoke this function via forged request granted they can trick a site administrator into performing an action such as clicking on a link leading them to perform actions intended for administrators such as changing the folder structure maintained by the plugin. | |||||
| CVE-2023-0831 | 1 Webfactoryltd | 1 Under Construction | 2023-06-14 | N/A | 4.3 MEDIUM |
| The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-0832 | 1 Webfactoryltd | 1 Under Construction | 2023-06-14 | N/A | 4.3 MEDIUM |
| The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||