Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2024-11142 8.8 HIGH EPSS 0.00

Proticaret < 6.0 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery.This issue affects Proticaret E-Commerce: before v6.0 NOTE: According to the vendor, fixing process is still ongoing for v4.05.

CWE-352 May 02, 2025

CVE-2025-2168 4.3 MEDIUM EPSS 0.00

Bdthemes Ultimate Store Kit < 2.5.0 - CSRF

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 May 01, 2025

CVE-2025-1305 8.8 HIGH EPSS 0.00

Spicethemes Newsblogger < 0.2.5.5 - CSRF

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 May 01, 2025

CVE-2025-32354 8.8 HIGH EPSS 0.00

Synacor Zimbra Collaboration Suite < 10.1.4 - CSRF

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

CWE-352 Apr 29, 2025

CVE-2025-4088 6.5 MEDIUM EPSS 0.00

Mozilla Firefox < 138.0 - CSRF

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.

CWE-352 Apr 29, 2025

CVE-2025-3997 4.3 MEDIUM 1 Writeup EPSS 0.00

dazhouda lecms 3.0.3 - CSRF

A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE-862 Apr 28, 2025

CVE-2025-3979 4.3 MEDIUM 1 Writeup EPSS 0.00

dazhouda lecms 3.0.3 - CSRF

A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-password-ajax-1 of the component Password Change Handler. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE-862 Apr 27, 2025

CVE-2025-3964 4.3 MEDIUM 1 Writeup EPSS 0.00

withstars Books-Management-System 1.0 - CSRF

A vulnerability, which was classified as problematic, was found in withstars Books-Management-System 1.0. Affected is an unknown function of the file /api/article/del of the component Article Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE-862 Apr 27, 2025

CVE-2025-3959 4.3 MEDIUM 1 Writeup EPSS 0.00

withstars Books-Management-System 1.0 - CSRF

A vulnerability was found in withstars Books-Management-System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /reader_delete.html. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE-862 Apr 27, 2025

CVE-2025-2907 9.8 CRITICAL EXPLOITED 1 PoC Analysis NUCLEI EPSS 0.10

Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

CWE-352 Apr 26, 2025

CVE-2025-3638 8.8 HIGH EPSS 0.00

Moodle < 4.1.18 - CSRF

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

CWE-352 Apr 25, 2025

CVE-2025-3635 3.5 LOW EPSS 0.00

Moodle < 4.1.18 - CSRF

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.

CWE-352 Apr 25, 2025

CVE-2025-46547 5.4 MEDIUM EPSS 0.00

Sherpa Orchestrator 141851 - CSRF

In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.

CWE-352 Apr 25, 2025

CVE-2025-46530 7.1 HIGH EPSS 0.00

HuangYe WuDeng Hacklog Remote Attachment <1.3.2 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog Remote Attachment allows Stored XSS. This issue affects Hacklog Remote Attachment: from n/a through 1.3.2.

CWE-352 Apr 24, 2025

CVE-2025-46528 7.1 HIGH EPSS 0.00

Steve Availability Calendar <0.2.4 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Steve Availability Calendar allows Stored XSS. This issue affects Availability Calendar: from n/a through 0.2.4.

CWE-352 Apr 24, 2025

CVE-2025-46524 7.1 HIGH EPSS 0.00

stesvis WP Filter Post Category <2.1.4 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in stesvis WP Filter Post Category allows Stored XSS. This issue affects WP Filter Post Category: from n/a through 2.1.4.

CWE-352 Apr 24, 2025

CVE-2025-46522 7.1 HIGH EPSS 0.00

Billy Bryant Tabs <4.0.3 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Billy Bryant Tabs allows Stored XSS. This issue affects Tabs: from n/a through 4.0.3.

CWE-352 Apr 24, 2025

CVE-2025-46520 7.1 HIGH EPSS 0.00

alphasis Related Posts <1.0.1 - CSRF/XSS

Cross-Site Request Forgery (CSRF) vulnerability in alphasis Related Posts via Taxonomies allows Stored XSS. This issue affects Related Posts via Taxonomies: from n/a through 1.0.1.

CWE-352 Apr 24, 2025

CVE-2025-46516 7.1 HIGH EPSS 0.00

silencecm Twitter Card Generator <1.0.5 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in silencecm Twitter Card Generator allows Stored XSS. This issue affects Twitter Card Generator: from n/a through 1.0.5.

CWE-352 Apr 24, 2025

CVE-2025-46514 7.1 HIGH EPSS 0.00

Milat jQuery Automatic Popup <1.3.1 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in milat Milat jQuery Automatic Popup allows Stored XSS. This issue affects Milat jQuery Automatic Popup: from n/a through 1.3.1.

CWE-352 Apr 24, 2025

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps