CVE & Exploit Intelligence Database

CVE-2025-10700 4.3 MEDIUM EPSS 0.00

The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the enable_unfiltered_files_upload function. This makes it possible for unauthenticated attackers to enable unfiltered file upload and add svg files to the upload list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 16, 2025

CVE-2025-10312 4.3 MEDIUM EPSS 0.00

The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 15, 2025

CVE-2025-10301 4.3 MEDIUM EPSS 0.00

The FunKItools plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the saveFields() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 15, 2025

CVE-2025-10300 4.3 MEDIUM EPSS 0.00

The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 15, 2025

CVE-2025-60535 7.3 HIGH 2 Writeups EPSS 0.00

A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.

CWE-352 Oct 14, 2025

CVE-2025-59428 5.4 MEDIUM EPSS 0.00

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.

CWE-352 Oct 14, 2025

CVE-2025-7330 6.5 MEDIUM EPSS 0.00

A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link.

CWE-352 Oct 14, 2025

CVE-2025-42908 5.4 MEDIUM EPSS 0.00

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.

CWE-352 Oct 14, 2025

CVE-2025-9626 4.3 MEDIUM EPSS 0.00

The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 11, 2025

CVE-2025-9621 4.3 MEDIUM EPSS 0.00

The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 11, 2025

CVE-2025-8606 2.4 LOW EPSS 0.00

The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.

CWE-352 Oct 11, 2025

CVE-2025-10376 4.3 MEDIUM EPSS 0.00

The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 11, 2025

CVE-2025-10375 4.3 MEDIUM EPSS 0.00

The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 11, 2025

CVE-2025-62245 4.3 MEDIUM EPSS 0.00

Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.

CWE-352 Oct 10, 2025

CVE-2025-61930 8.1 HIGH EPSS 0.00

Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist.

CWE-352 Oct 10, 2025

CVE-2025-43296 5.5 MEDIUM EPSS 0.00

A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26. An app may bypass Gatekeeper checks.

CWE-703 Oct 09, 2025

CVE-2025-11166 5.4 MEDIUM EPSS 0.00

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via unsafe GET requests.

CWE-352 Oct 09, 2025

CVE-2025-11442 4.3 MEDIUM EPSS 0.00

A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.

CWE-862 Oct 08, 2025

CVE-2025-60956 8.0 HIGH EPSS 0.00

Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.

CWE-352 Oct 06, 2025

CVE-2025-9886 4.3 MEDIUM 1 PoC Analysis EPSS 0.00

The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Oct 04, 2025