Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-30280 | 1 Nokia | 1 Netact | 2024-11-21 | 8.8 High |
| /SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. | ||||
| CVE-2022-30014 | 1 Simple Food Website Project | 1 Simple Food Website | 2024-11-21 | 8.8 High |
| Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. | ||||
| CVE-2022-2987 | 1 Ldap Wp Login \/ Active Directory Integration Project | 1 Ldap Wp Login \/ Active Directory Integration | 2024-11-21 | 7.5 High |
| The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication | ||||
| CVE-2022-2986 | 1 Moodle | 1 Moodle | 2024-11-21 | 8.8 High |
| Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. | ||||
| CVE-2022-2846 | 1 Dwbooster | 1 Calendar Event Multi View | 2024-11-21 | 4.3 Medium |
| The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. | ||||
| CVE-2022-2839 | 1 Zephyr-one | 1 Zephyr Project Manager | 2024-11-21 | 5.4 Medium |
| The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. | ||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | ||||
| CVE-2022-2762 | 1 Adminpad Project | 1 Adminpad | 2024-11-21 | 6.5 Medium |
| The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack | ||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-11-21 | 4.3 Medium |
| The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | ||||
| CVE-2022-2555 | 1 Yotpo Reviews For Woocommerce Project | 1 Yotpo Reviews For Woocommerce | 2024-11-21 | 6.5 Medium |
| The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. | ||||
| CVE-2022-2542 | 1 Summitmediaconcepts | 1 Ucontext For Clickbank | 2024-11-21 | 8.8 High |
| The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2541 | 1 Summitmediaconcepts | 1 Ucontext For Amazon | 2024-11-21 | 8.8 High |
| The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2540 | 1 Link Optimizer Lite Project | 1 Link Optimizer Lite | 2024-11-21 | 8.8 High |
| The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2518 | 1 Berocket | 1 Stockists Manager For Woocommerce | 2024-11-21 | 8.8 High |
| The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2449 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2024-11-21 | 6.5 Medium |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. | ||||
| CVE-2022-2441 | 1 Orangelab | 1 Imagemagick Engine | 2024-11-21 | 8.8 High |
| The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server. | ||||
| CVE-2022-2435 | 1 Anymind | 1 Anymind Widget | 2024-11-21 | 8.8 High |
| The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2405 | 1 Themehunk | 1 Wp Popup Builder | 2024-11-21 | 4.3 Medium |
| The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | ||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | 4.3 Medium |
| The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | ||||
| CVE-2022-2388 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | 6.5 Medium |
| The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack | ||||