Export limit exceeded: 33614 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9200 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41793 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 6.7 Medium |
| : Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2025-47636 | 2025-09-15 | 7.5 High | ||
| Path Traversal vulnerability in Fernando Briano List category posts list-category-posts allows PHP Local File Inclusion.This issue affects List category posts: from n/a through 0.91.0. | ||||
| CVE-2025-9881 | 1 Wordpress | 1 Wordpress | 2025-09-15 | 6.1 Medium |
| The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9880 | 2 Dejocar, Wordpress | 2 Side Slide Responsive Menu, Wordpress | 2025-09-15 | 6.1 Medium |
| The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-48114 | 1 Wordpress | 1 Wordpress | 2025-09-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in ShayanWeb Admin FontChanger allows Stored XSS.This issue affects ShayanWeb Admin FontChanger: from n/a through 1.9.1. | ||||
| CVE-2025-51586 | 1 Prestashop | 1 Prestashop | 2025-09-12 | 3.7 Low |
| An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | ||||
| CVE-2023-5455 | 3 Fedoraproject, Freeipa, Redhat | 25 Fedora, Freeipa, Codeready Linux Builder and 22 more | 2025-09-12 | 6.5 Medium |
| A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt. | ||||
| CVE-2025-58430 | 2 Listmok Project, Nadh | 2 Listmonk, Listmonk | 2025-09-12 | N/A |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can result in improper admin account creation. As of time of publication, no patched versions are available. | ||||
| CVE-2025-9632 | 2 Vinzzb, Wordpress | 2 Phplist Subber, Wordpress | 2025-09-12 | 4.3 Medium |
| The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9617 | 2 Evidentlycube, Wordpress | 2 Publish Approval Plugin, Wordpress | 2025-09-12 | 5.3 Medium |
| The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8481 | 3 Elementor, Mdimran41, Wordpress | 3 Elementor, Blog Designer For Elementor Plugin, Wordpress | 2025-09-12 | 4.3 Medium |
| The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9631 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9633 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9634 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the pub_save action handler. This makes it possible for unauthenticated attackers to disable or enable plugin updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9623 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enable_eng function. This makes it possible for unauthenticated attackers to modify administrator language settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9628 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9635 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9627 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl_plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings including distance units, pace display preferences, style themes, and display positions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9620 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 6.1 Medium |
| The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. This is due to missing or incorrect nonce validation on the check_integration() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8479 | 1 Wordpress | 1 Wordpress | 2025-09-12 | 4.3 Medium |
| The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||