VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 109 of 286
  • CVE-2024-5596MedJun 22, 2024
    risk 0.41cvss 6.3epss 0.00

    The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or…

  • CVE-2024-31272MedApr 12, 2024
    risk 0.41cvss 6.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Repute InfoSystems ARForms Form Builder.This issue affects ARForms Form Builder: from n/a through 1.6.1.

  • CVE-2024-27974MedMar 18, 2024
    risk 0.41cvss 6.3epss 0.00

    Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator's…

  • CVE-2024-1954MedFeb 28, 2024
    risk 0.41cvss 6.3epss 0.00

    The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes…

  • CVE-2023-52129MedJan 5, 2024
    risk 0.41cvss 6.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4.

  • CVE-2023-46212MedDec 19, 2023
    risk 0.41cvss 6.3epss 0.00

    Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects WP EXtra: from n/a through 6.2.

  • CVE-2023-48762MedDec 18, 2023
    risk 0.41cvss 6.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13.

  • CVE-2023-6008MedNov 22, 2023
    risk 0.41cvss 6.3epss 0.00

    The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user…

  • CVE-2023-4000MedAug 31, 2023
    risk 0.41cvss 6.3epss 0.00

    The Waiting: One-click countdowns plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to create…

  • CVE-2023-3052MedJun 3, 2023
    risk 0.41cvss 6.3epss 0.00

    The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_add_post', 'azh_duplicate_post', 'azh_update_post' and 'azh_remove_post'…

  • CVE-2022-4941MedApr 5, 2023
    risk 0.41cvss 6.3epss 0.00

    The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as…

  • CVE-2022-4938MedApr 5, 2023
    risk 0.41cvss 6.3epss 0.00

    The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such…

  • CVE-2022-4936MedApr 5, 2023
    risk 0.41cvss 6.3epss 0.00

    The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as…

  • CVE-2023-1472MedMar 17, 2023
    risk 0.41cvss 6.3epss 0.00

    The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to…

  • CVE-2022-41927HigNov 23, 2022
    risk 0.41cvss 7.4epss 0.00

    XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances…

  • CVE-2022-24712MedFeb 28, 2022
    risk 0.41cvss 6.3epss 0.01

    CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There…

  • CVE-2021-21241HigJan 11, 2021
    risk 0.41cvss 7.4epss 0.01

    The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version…

  • CVE-2019-3876MedApr 1, 2019
    risk 0.41cvss 6.3epss 0.01

    A flaw was found in the /oauth/token/request custom endpoint of the OpenShift OAuth server allowing for XSS generation of CLI tokens due to missing X-Frame-Options and CSRF protections. If not otherwise prevented, a separate XSS vulnerability via JavaScript could further allow…

  • CVE-2018-15202MedAug 8, 2018
    risk 0.41cvss 6.3epss 0.00

    An issue was discovered in Juunan06 eCommerce through 2018-08-05. There is a CSRF vulnerability in ee/eBoutique/app/template/includes/crudTreatment.php that can add new users and add products.

  • CVE-2018-0215MedMar 8, 2018
    risk 0.41cvss 6.3epss 0.01

    A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to…