Total
6253 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-0638 | 1 Microweber | 1 Microweber | 2024-08-02 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | ||||
| CVE-2022-0642 | 1 Jivochat | 1 Jivochat | 2024-08-02 | 5.4 Medium |
| The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. | ||||
| CVE-2022-0616 | 1 Tms-outsource | 1 Amelia | 2024-08-02 | 4.3 Medium |
| The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack | ||||
| CVE-2022-0634 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-08-02 | 4.3 Medium |
| The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request. | ||||
| CVE-2022-0515 | 1 Craterapp | 1 Crater | 2024-08-02 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4. | ||||
| CVE-2022-0499 | 1 Sermon Browser Project | 1 Sermon Browser | 2024-08-02 | 8.8 High |
| The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. | ||||
| CVE-2022-0505 | 1 Microweber | 1 Microweber | 2024-08-02 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | ||||
| CVE-2022-0445 | 1 Devowl | 1 Wordpress Real Cookie Banner | 2024-08-02 | 6.5 Medium |
| The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack | ||||
| CVE-2022-0345 | 1 Madewithfuel | 1 Customize Wordpress Emails And Alerts | 2024-08-02 | 4.3 Medium |
| The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.). | ||||
| CVE-2022-0269 | 1 Yetiforce | 1 Yetiforce Customer Relationship Management | 2024-08-02 | 8.0 High |
| Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0. | ||||
| CVE-2022-0328 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-08-02 | 4.7 Medium |
| The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2022-0444 | 1 Watchful | 1 Xcloner | 2024-08-02 | 4.3 Medium |
| The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. | ||||
| CVE-2022-0439 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-08-02 | 8.8 High |
| The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link. | ||||
| CVE-2022-0398 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-08-02 | 5.4 Medium |
| The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website | ||||
| CVE-2022-0427 | 1 Gitlab | 1 Gitlab | 2024-08-02 | 7.7 High |
| Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover | ||||
| CVE-2022-0363 | 1 Mycred | 1 Mycred | 2024-08-02 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | ||||
| CVE-2022-0313 | 1 Wow-estore | 1 Float Menu | 2024-08-02 | 4.3 Medium |
| The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2022-0335 | 1 Moodle | 1 Moodle | 2024-08-02 | 8.8 High |
| A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. | ||||
| CVE-2022-0238 | 2 Fedoraproject, Phoronix-media | 2 Fedora, Phoronix Test Suite | 2024-08-02 | 4.3 Medium |
| phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2022-0226 | 1 Livehelperchat | 1 Live Helper Chat | 2024-08-02 | 4.3 Medium |
| livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | ||||