VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 139 of 286
  • CVE-2025-9616MedSep 4, 2025
    risk 0.34cvss 5.3epss 0.00

    The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset…

  • CVE-2025-49896MedAug 20, 2025
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wptasker WP Discord Post Plus – Supports Unlimited Channels allows Cross Site Request Forgery. This issue affects WP Discord Post Plus – Supports Unlimited Channels: from n/a through 1.0.2.

  • CVE-2025-5988MedAug 4, 2025
    risk 0.34cvss 5.3epss 0.00

    A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.

  • CVE-2025-7379MedJul 9, 2025
    risk 0.34cvss epss 0.00

    A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before…

  • CVE-2025-1435MedMar 5, 2025
    risk 0.34cvss 6.3epss 0.00

    The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers…

  • CVE-2024-11118MedNov 16, 2024
    risk 0.34cvss 5.3epss 0.00

    The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings() function. This makes it possible for unauthenticated attackers to…

  • CVE-2024-47359MedNov 1, 2024
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in averta Depicter Slider depicter.This issue affects Depicter Slider: from n/a through <= 3.2.2.

  • CVE-2023-26248MedOct 25, 2024
    risk 0.34cvss 5.3epss 0.00

    The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an…

  • CVE-2024-49306MedOct 20, 2024
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Content Copy Protection & No Right Click wp-content-copy-protector allows Cross Site Request Forgery.This issue affects WP Content Copy Protection & No Right Click: from n/a through <= 3.5.9.

  • CVE-2024-43316MedAug 26, 2024
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1.

  • CVE-2024-4100MedJul 9, 2024
    risk 0.34cvss 5.3epss 0.00

    The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it possible for unauthenticated attackers to perform a variety…

  • CVE-2024-0516MedFeb 29, 2024
    risk 0.34cvss 5.3epss 0.00

    The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to unauthorized post metadata update due to a missing capability check on the wpr_update_form_action_meta function in all versions up to, and including, 1.3.87. This makes it possible for unauthenticated…

  • CVE-2023-6984MedJan 3, 2024
    risk 0.34cvss 5.3epss 0.00

    The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the…

  • CVE-2023-29428MedNov 10, 2023
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in SuPlugins Superb Social Media Share Buttons and Follow Buttons for WordPress plugin <= 1.1.3 versions.

  • CVE-2023-32579MedNov 9, 2023
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Designs & Code Forget About Shortcode Buttons plugin <= 2.1.2 versions.

  • CVE-2023-39156MedJul 26, 2023
    risk 0.34cvss 5.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

  • CVE-2023-2067MedJun 9, 2023
    risk 0.34cvss 6.3epss 0.00

    The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings',…

  • CVE-2021-39197MedSep 7, 2021
    risk 0.34cvss 6.3epss 0.01

    better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests.…

  • CVE-2020-28452MedJan 20, 2021
    risk 0.34cvss 6.3epss 0.01

    This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed…

  • CVE-2020-7780MedNov 27, 2020
    risk 0.34cvss 6.3epss 0.01

    This affects the package com.softwaremill.akka-http-session:core_2.13 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.12 before 0.5.11; the package com.softwaremill.akka-http-session:core_2.11 before 0.5.11. For older versions, endpoints protected by…