CVE & Exploit Intelligence Database

CVE-2025-28964 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon allows Stored XSS. This issue affects Personal Favicon: from n/a through 2.0.

CWE-352 Jun 06, 2025

CVE-2025-28958 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov Bg Orthodox Calendar allows Stored XSS. This issue affects Bg Orthodox Calendar: from n/a through 0.13.10.

CWE-352 Jun 06, 2025

CVE-2025-28954 7.4 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp allows Path Traversal. This issue affects Backwp: from n/a through 2.0.2.

CWE-352 Jun 06, 2025

CVE-2025-28952 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Jonathan Lau CubePoints allows Cross Site Request Forgery. This issue affects CubePoints: from n/a through 3.2.1.

CWE-352 Jun 06, 2025

CVE-2025-28950 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai Post Author allows Stored XSS. This issue affects Post Author: from n/a through 1.1.1.

CWE-352 Jun 06, 2025

CVE-2025-28948 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in codedraft Mediabay - WordPress Media Library Folders allows Reflected XSS. This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4.

CWE-352 Jun 06, 2025

CVE-2025-27360 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in WP Corner Quick Event Calendar allows Cross Site Request Forgery. This issue affects Quick Event Calendar: from n/a through 1.4.9.

CWE-352 Jun 06, 2025

CVE-2025-27359 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Seerox WP Media File Type Manager allows Cross Site Request Forgery. This issue affects WP Media File Type Manager: from n/a through 2.3.0.

CWE-352 Jun 06, 2025

CVE-2025-26593 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in FasterThemes FastBook allows Cross Site Request Forgery. This issue affects FastBook: from n/a through 1.1.

CWE-352 Jun 06, 2025

CVE-2025-24772 5.4 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in cmsMinds Pay with Contact Form 7 allows Cross Site Request Forgery. This issue affects Pay with Contact Form 7: from n/a through 1.0.4.

CWE-352 Jun 06, 2025

CVE-2025-49077 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in ThemeHigh Dynamic Pricing and Discount Rules allows Cross Site Request Forgery.This issue affects Dynamic Pricing and Discount Rules: from n/a through 2.2.9.

CWE-352 Jun 06, 2025

CVE-2025-48328 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Daman Jeet Real Time Validation for Gravity Forms allows Cross Site Request Forgery.This issue affects Real Time Validation for Gravity Forms: from n/a through 1.7.0.

CWE-352 Jun 06, 2025

CVE-2025-5732 4.3 MEDIUM EPSS 0.00

A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE-862 Jun 06, 2025

CVE-2025-5019 5.4 MEDIUM EPSS 0.00

The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Jun 06, 2025

CVE-2025-4966 6.1 MEDIUM EPSS 0.00

The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Jun 06, 2025

CVE-2025-2935 5.4 MEDIUM EPSS 0.00

The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Jun 06, 2025

CVE-2025-36513 4.3 MEDIUM EPSS 0.00

Cross-site request forgery vulnerability exists in surveillance cameras provided by i-PRO Co., Ltd.. If a user views a crafted page while logged in to the affected product, unintended operations may be performed.

CWE-352 Jun 06, 2025

CVE-2025-46257 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in BdThemes Element Pack Pro allows Cross Site Request Forgery.This issue affects Element Pack Pro: from n/a before 8.0.0.

CWE-352 Jun 05, 2025

CVE-2025-31482 4.3 MEDIUM EPSS 0.00

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.

CWE-352 Jun 04, 2025

CVE-2025-4580 4.3 MEDIUM EPSS 0.00

The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CWE-352 Jun 04, 2025