VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 140 of 286
  • CVE-2019-10359MedJul 31, 2019
    risk 0.34cvss 6.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

  • CVE-2025-58468MedJun 10, 2026
    risk 0.33cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version:…

  • CVE-2026-49433MedJun 1, 2026
    risk 0.33cvss 5.0epss 0.00

    The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on…

  • CVE-2026-40549MedJun 1, 2026
    risk 0.33cvss epss 0.00

    SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. This…

  • CVE-2026-41255MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in…

  • CVE-2026-2324MedMar 11, 2026
    risk 0.33cvss 6.1epss 0.00

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes…

  • CVE-2026-1468MedMar 6, 2026
    risk 0.33cvss epss 0.00

    QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this…

  • CVE-2026-23694MedFeb 23, 2026
    risk 0.33cvss epss 0.00

    Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform…

  • CVE-2025-10317MedOct 30, 2025
    risk 0.33cvss epss 0.00

    Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This…

  • CVE-2025-7202MedAug 6, 2025
    risk 0.33cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights.

  • CVE-2025-7369MedJul 21, 2025
    risk 0.33cvss 6.1epss 0.00

    The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.4.2. This is due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated…

  • CVE-2025-34050MedJul 1, 2025
    risk 0.33cvss epss 0.00

    A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user’s browser session, allow unauthorized changes to the…

  • CVE-2025-47204MedMay 13, 2025
    risk 0.33cvss 6.1epss 0.00

    An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting…

  • CVE-2025-46721MedMay 13, 2025
    risk 0.33cvss 6.1epss 0.00

    nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue…

  • CVE-2024-12634MedMar 7, 2025
    risk 0.33cvss 6.1epss 0.00

    The Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 2.0.59. This is due to missing nonce validation on a function. This makes it…

  • CVE-2024-13444MedJan 21, 2025
    risk 0.33cvss 6.1epss 0.00

    The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject…

  • CVE-2024-12383MedJan 7, 2025
    risk 0.33cvss 6.1epss 0.00

    The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output…

  • CVE-2024-12454MedDec 18, 2024
    risk 0.33cvss 6.1epss 0.00

    The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated…

  • CVE-2024-12220MedDec 17, 2024
    risk 0.33cvss 6.1epss 0.00

    The SMS for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web…

  • CVE-2024-12219MedDec 17, 2024
    risk 0.33cvss 6.1epss 0.00

    The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via…