Total
6081 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1020 | 1 Codeastrology | 1 Woo Product Table | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument | |||||
| CVE-2022-0916 | 1 Logitech | 1 Options | 2024-11-21 | 6.8 MEDIUM | 8.4 HIGH |
| An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations. | |||||
| CVE-2022-0914 | 1 Atlasgondal | 1 Export All Urls | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example | |||||
| CVE-2022-0875 | 1 Miniorange | 1 Google Authenticator | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks | |||||
| CVE-2022-0830 | 1 Formbuilder Project | 1 Formbuilder | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them. | |||||
| CVE-2022-0770 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page | |||||
| CVE-2022-0707 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack | |||||
| CVE-2022-0681 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack | |||||
| CVE-2022-0642 | 1 Jivochat | 1 Jivochat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. | |||||
| CVE-2022-0638 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0616 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack | |||||
| CVE-2022-0515 | 1 Craterapp | 1 Crater | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4. | |||||
| CVE-2022-0505 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2022-0499 | 1 Sermon Browser Project | 1 Sermon Browser | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. | |||||
| CVE-2022-0445 | 1 Devowl | 1 Wordpress Real Cookie Banner | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack | |||||
| CVE-2022-0427 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover | |||||
| CVE-2022-0335 | 1 Moodle | 1 Moodle | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | |||||
| CVE-2022-0328 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2022-0313 | 1 Wow-estore | 1 Float Menu | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2022-0269 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-11-21 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0. | |||||