Export limit exceeded: 35281 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9189 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2004-1703 | 1 Fusionphp | 1 Fusion News | 2026-04-16 | 8.8 High |
| Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag. | ||||
| CVE-2002-2426 | 1 Citrix | 3 Access Essentials, Metaframe Presentation Server, Presentation Server | 2026-04-16 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Citrix Presentation Server 4.0 and 4.5, MetaFrame Presentation Server 3.0, and Access Essentials 1.0 through 2.0 allows remote attackers to execute arbitrary published applications, and possibly other programs, as authenticated users via the InitialProgram key in an ICA connection. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2004-1842 | 1 Phpnuke | 1 Php-nuke | 2026-04-16 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. | ||||
| CVE-2026-27050 | 2 Thimpress, Wordpress | 2 Realpress, Wordpress | 2026-04-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through <= 1.1.0. | ||||
| CVE-2026-1128 | 2 Wordpress, Wp-ecommerce | 2 Wordpress, Wp Ecommerce | 2026-04-15 | 4.3 Medium |
| The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | ||||
| CVE-2026-1070 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1081 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1075 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1208 | 2 Mainichiweb, Wordpress | 2 Friendly Functions For Welcart, Wordpress | 2026-04-15 | 4.3 Medium |
| The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1377 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2023 | 2 Brikou, Wordpress | 2 Wp Plugin Info Card, Wordpress | 2026-04-15 | 4.3 Medium |
| The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1051 | 2 Satollo, Wordpress | 2 Newsletter – Send Awesome Emails From Wordpress, Wordpress | 2026-04-15 | 4.3 Medium |
| The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | ||||
| CVE-2026-1076 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1380 | 2 Lxicon, Wordpress | 2 Bitcoin Donate Button, Wordpress | 2026-04-15 | 4.3 Medium |
| The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1165 | 2 Ays-pro, Wordpress | 2 Popup Box, Wordpress | 2026-04-15 | 4.3 Medium |
| The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | ||||
| CVE-2026-1785 | 2 Codesnippets, Wordpress | 2 Code Snippets, Wordpress | 2026-04-15 | 4.3 Medium |
| The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. | ||||
| CVE-2026-1082 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1215 | 2 Messagemetric, Wordpress | 2 Mma Call Tracking, Wordpress | 2026-04-15 | 4.3 Medium |
| The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-35180 | 1 Wwbn | 1 Avideo | 2026-04-15 | 4.3 Medium |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content. | ||||
| CVE-2026-1072 | 2 Jamesits, Wordpress | 2 Keybase.io Verification, Wordpress | 2026-04-15 | 4.3 Medium |
| The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||