VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 10 of 286
  • CVE-2024-13933HigMar 19, 2025
    risk 0.57cvss 8.8epss 0.00

    The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete,…

  • CVE-2024-51144HigMar 5, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.

  • CVE-2025-1687HigFeb 28, 2025
    risk 0.57cvss 8.8epss 0.00

    The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and…

  • CVE-2025-27276HigFeb 24, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Photo Gallery ( Responsive ) photo-gallery-pearlbells allows Privilege Escalation.This issue affects Photo Gallery ( Responsive ): from n/a through <= 4.0.

  • CVE-2025-27012HigFeb 22, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5.

  • CVE-2025-23532HigJan 16, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Regios MyAnime Widget myanime-widget allows Privilege Escalation.This issue affects MyAnime Widget: from n/a through <= 1.0.

  • CVE-2025-23530HigJan 16, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Lockdown custom-post-type-lockdown allows Privilege Escalation.This issue affects Custom Post Type Lockdown: from n/a through <= 1.11.

  • CVE-2024-6662HigJan 10, 2025
    risk 0.57cvss epss 0.00

    Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under "/edytor/index.php?id=7,7,0" lacks protection mechanisms. A user could be tricked into visiting a malicious website, which would send POST request…

  • CVE-2024-39623HigJan 2, 2025
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro listingpro allows Authentication Bypass.This issue affects ListingPro: from n/a through <= 2.9.4.

  • CVE-2024-56207HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in EditionGuard EditionGuard for WooCommerce – eBook Sales with DRM editionguard-for-woocommerce-ebook-sales-with-drm allows Privilege Escalation.This issue affects EditionGuard for WooCommerce – eBook Sales with DRM: from n/a…

  • CVE-2024-56206HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in krishankakkar gap-hub-user-role gap-hub-user-role allows Authentication Bypass.This issue affects gap-hub-user-role: from n/a through <= 3.4.1.

  • CVE-2024-56204HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in yonisink Sinking Dropdowns sinking-dropdowns allows Privilege Escalation.This issue affects Sinking Dropdowns: from n/a through <= 1.25.

  • CVE-2024-56203HigDec 31, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in gholme4 Wayne Audio Player wayne-audio-player allows Privilege Escalation.This issue affects Wayne Audio Player: from n/a through <= 1.0.

  • CVE-2024-37758HigDec 20, 2024
    risk 0.57cvss 8.8epss 0.00

    Improper access control in the endpoint /RoleMenuMapping/AddRoleMenu of Digiteam v4.21.0.0 allows authenticated attackers to escalate privileges.

  • CVE-2024-54352HigDec 16, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Sabri Sogrid sogrid allows Privilege Escalation.This issue affects Sogrid: from n/a through <= 1.5.2.

  • CVE-2024-54248HigDec 13, 2024
    risk 0.57cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in eewee eewee admin custom eewee-admincustom allows Privilege Escalation.This issue affects eewee admin custom: from n/a through <= 1.8.2.4.

  • CVE-2024-11689HigDec 12, 2024
    risk 0.57cvss 8.8epss 0.00

    The HQ Rental Software plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.29. This is due to missing or incorrect nonce validation on the displaySettingsPage() function. This makes it possible for unauthenticated attackers…

  • CVE-2020-28398HigDec 10, 2024
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1500 (All versions < V2.16.0), RUGGEDCOM ROX RX1501 (All versions < V2.16.0),…

  • CVE-2024-39163HigDec 4, 2024
    risk 0.57cvss 8.8epss 0.00

    binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints.

  • CVE-2024-11415HigNov 23, 2024
    risk 0.57cvss 8.8epss 0.00

    The WP-Orphanage Extended plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the wporphanageex_menu_settings() function. This makes it possible for unauthenticated…