Total
9187 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-6293 | 2 Udamadu, Wordpress | 2 Inquiry Form To Posts Or Pages, Wordpress | 2026-04-16 | 4.3 Medium |
| The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page. | ||||
| CVE-2026-29084 | 1 Forceu | 1 Gokapi | 2026-04-16 | 4.6 Medium |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3. | ||||
| CVE-2026-3770 | 2 Oretnom23, Sourcecodester | 2 Computer Laboratory Management System, Computer Laboratory Management System | 2026-04-16 | 4.3 Medium |
| A flaw has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2026-28281 | 1 Instantcms | 2 Icms2, Instantcms | 2026-04-16 | 7.1 High |
| InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1. | ||||
| CVE-2026-1508 | 2 Court Reservation, Wordpress | 2 Court Reservation, Wordpress | 2026-04-16 | 4.3 Medium |
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2026-24521 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery.This issue affects Kama Thumbnail: from n/a through <= 3.5.1. | ||||
| CVE-2026-24549 | 2 Paolo, Wordpress | 2 Geodirectory, Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery.This issue affects GeoDirectory: from n/a through <= 2.8.149. | ||||
| CVE-2026-25319 | 2 Wordpress, Wpzita | 2 Wordpress, Zita Elementor Site Library | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6. | ||||
| CVE-2026-25337 | 2 Wordpress, Wpcoachify | 2 Wordpress, Coachify | 2026-04-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5. | ||||
| CVE-2026-25411 | 2 Themastercut, Wordpress | 2 Revision Manager Tmc, Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22. | ||||
| CVE-2026-25422 | 2 Themes4wp, Wordpress | 2 Popularis Extra, Wordpress | 2026-04-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10. | ||||
| CVE-2026-28495 | 1 Getsimple-ce | 1 Getsimple Cms | 2026-04-16 | 9.7 Critical |
| GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server. | ||||
| CVE-2026-29113 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-04-16 | 4.3 Medium |
| Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7. | ||||
| CVE-2026-24542 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery.This issue affects WP Term Order: from n/a through <= 2.1.0. | ||||
| CVE-2026-24942 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through <= 5.1.1. | ||||
| CVE-2026-24986 | 2 Wordpress, Wp.insider | 2 Wordpress, Simple Membership Wp User Import | 2026-04-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership WP user Import simple-membership-wp-user-import allows Cross Site Request Forgery.This issue affects Simple Membership WP user Import: from n/a through <= 1.9.1. | ||||
| CVE-2026-25014 | 2 Themelooks, Wordpress | 2 Enter Addons, Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2. | ||||
| CVE-2026-25015 | 1 Wordpress | 1 Wordpress | 2026-04-16 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.53. | ||||
| CVE-2026-25322 | 2 Publishpress, Wordpress | 2 Publishpress Revisions, Wordpress | 2026-04-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.22. | ||||
| CVE-2004-1995 | 1 Fusetalk | 1 Fusetalk | 2026-04-16 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm. | ||||