Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2021-24988

The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.

CVE
#xss#csrf
CVE-2021-24969

The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks

CVE-2021-4168

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2021-4162: Cross-Site Request Forgery (CSRF) in archivy

archivy is vulnerable to Cross-Site Request Forgery (CSRF)

CVE-2020-20593: 信呼OA在线演示_信呼

A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account.

CVE-2020-20595: There is one CSRF vulnerability that can add the account · Issue #25 · lock-upme/OPMS

A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.

CVE-2020-20598: Csrf + Xss combination Can be obtained user cookie · Issue #199 · xuhuisheng/lemon

A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

CVE-2021-36886: Contact Form 7 Database Addon – CFDB7

Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).