CVE & Exploit Intelligence Database

CVE-2025-12221 8.8 HIGH EPSS 0.00

Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

CWE-16 Oct 25, 2025

CVE-2025-11976 4.3 MEDIUM EPSS 0.00

The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 25, 2025

CVE-2025-12095 8.8 HIGH EPSS 0.00

The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This makes it possible for unauthenticated attackers to approve pending role requests and escalate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 25, 2025

CVE-2025-12072 4.3 MEDIUM EPSS 0.00

The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

CWE-352 Oct 24, 2025

CVE-2025-12028 8.8 HIGH EPSS 0.00

The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen authorization code for an access token, effectively taking over the victim's account with the granted scopes (create, update, delete).

CWE-352 Oct 24, 2025

CVE-2025-56009 5.3 MEDIUM EPSS 0.00

Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.

CWE-352 Oct 23, 2025

CVE-2025-62061 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through <= 1.8.4.

CWE-352 Oct 22, 2025

CVE-2025-62009 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator upc-ean-barcode-generator allows Cross Site Request Forgery.This issue affects UPC/EAN/GTIN Code Generator: from n/a through <= 2.0.2.

CWE-352 Oct 22, 2025

CVE-2025-62005 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Cross Site Request Forgery.This issue affects SUMO Memberships for WooCommerce: from n/a through < 7.8.0.

CWE-352 Oct 22, 2025

CVE-2025-60208 8.8 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.

CWE-352 Oct 22, 2025

CVE-2025-60168 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in integrationshotelrunner HotelRunner Booking Widget hotelrunner allows Stored XSS.This issue affects HotelRunner Booking Widget: from n/a through <= 1.6.

CWE-352 Oct 22, 2025

CVE-2025-60134 5.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.

CWE-352 Oct 22, 2025

CVE-2025-60132 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in johnh10 Video Blogster Lite video-blogster-lite allows Stored XSS.This issue affects Video Blogster Lite: from n/a through <= 1.2.

CWE-352 Oct 22, 2025

CVE-2025-49373 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.

CWE-352 Oct 22, 2025

CVE-2025-48099 4.7 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17.

CWE-352 Oct 22, 2025

CVE-2025-10588 4.3 MEDIUM EPSS 0.00

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 22, 2025

CVE-2025-62771 7.5 HIGH EPSS 0.00

Mercku M6a devices through 2.1.0 allow password changes via intranet CSRF attacks.

CWE-352 Oct 22, 2025

CVE-2025-47410 8.8 HIGH EPSS 0.00

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue.

CWE-352 Oct 18, 2025

CVE-2025-9890 8.8 HIGH EPSS 0.00

The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 18, 2025

CVE-2025-41254 4.3 MEDIUM EPSS 0.00

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

CWE-352 Oct 16, 2025