CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

CWE-345

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (4,557)

page 141 of 228

CVE	Sev	Risk	CVSS	Published	Description
CVE-2025-24543	Med	0.28	4.3	Jan 24, 2025	Cross-Site Request Forgery (CSRF) vulnerability in RSTheme Ultimate Coming Soon & Maintenance ultimate-coming-soon allows Cross Site Request Forgery.This issue affects Ultimate Coming Soon & Maintenance: from n/a through <= 1.0.9.
CVE-2025-23996	Med	0.28	4.3	Jan 21, 2025	Cross-Site Request Forgery (CSRF) vulnerability in AnyRoad AnyRoad anyguide allows Cross Site Request Forgery.This issue affects AnyRoad: from n/a through <= 1.3.2.
CVE-2024-13317	Med	0.28	4.3	Jan 18, 2025	The ShipWorks Connector for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to missing or incorrect nonce validation on the 'shipworks-wordpress' page. This makes it possible for unauthenticated attackers to update the services username and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-23765	Med	0.28	4.3	Jan 16, 2025	Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp allows Cross Site Request Forgery.This issue affects W3SPEEDSTER: from n/a through <= 7.33.
CVE-2024-10789	Med	0.28	4.3	Jan 16, 2025	The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupa_user_admin() function. This makes it possible for unauthenticated attackers to update the plugins setting which controls access to the functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-22731	Med	0.28	4.3	Jan 15, 2025	Cross-Site Request Forgery (CSRF) vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Cross Site Request Forgery.This issue affects Build Private Store For Woocommerce: from n/a through <= 1.0.
CVE-2024-12605	Med	0.28	4.3	Jan 9, 2025	The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5. This is due to missing or incorrect nonce validation on the "al_scribe_content_data" actions. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-12206	Med	0.28	4.3	Jan 9, 2025	The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-22563	Med	0.28	4.3	Jan 7, 2025	Cross-Site Request Forgery (CSRF) vulnerability in faaiq Pretty Url pretty-url allows Cross Site Request Forgery.This issue affects Pretty Url: from n/a through <= 1.5.5.
CVE-2025-22562	Med	0.28	4.3	Jan 7, 2025	Cross-Site Request Forgery (CSRF) vulnerability in kbowson Title Experiments Free wp-experiments-free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through <= 9.0.4.
CVE-2025-22503	Med	0.28	4.3	Jan 7, 2025	Cross-Site Request Forgery (CSRF) vulnerability in digitalzoomstudio Admin debug wordpress – enable debug dzs-enable-debug allows Cross Site Request Forgery.This issue affects Admin debug wordpress – enable debug: from n/a through <= 1.0.13.
CVE-2025-22297	Med	0.28	4.3	Jan 7, 2025	Cross-Site Request Forgery (CSRF) vulnerability in aipost AI WP Writer ai-wp-writer allows Cross Site Request Forgery.This issue affects AI WP Writer: from n/a through <= 3.8.4.4.
CVE-2024-49294	Med	0.28	4.3	Jan 7, 2025	Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Cross Site Request Forgery.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.4.3.
CVE-2024-38732	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2.
CVE-2024-38731	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7.
CVE-2024-37931	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1.
CVE-2024-37452	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2.
CVE-2024-37241	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.
CVE-2024-37237	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in fs-code FS Poster fs-poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through <= 6.5.8.
CVE-2024-38778	Med	0.28	4.3	Jan 2, 2025	Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search fulltext-search.This issue affects WP Fast Total Search: from n/a through <= 1.69.234.

CVE-2025-24543MedJan 24, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in RSTheme Ultimate Coming Soon & Maintenance ultimate-coming-soon allows Cross Site Request Forgery.This issue affects Ultimate Coming Soon & Maintenance: from n/a through <= 1.0.9.
CVE-2025-23996MedJan 21, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in AnyRoad AnyRoad anyguide allows Cross Site Request Forgery.This issue affects AnyRoad: from n/a through <= 1.3.2.
CVE-2024-13317MedJan 18, 2025
risk 0.28cvss 4.3epss 0.00
The ShipWorks Connector for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to missing or incorrect nonce validation on the 'shipworks-wordpress' page. This makes it possible for unauthenticated attackers to update the services username and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-23765MedJan 16, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in w3speedster W3SPEEDSTER w3speedster-wp allows Cross Site Request Forgery.This issue affects W3SPEEDSTER: from n/a through <= 7.33.
CVE-2024-10789MedJan 16, 2025
risk 0.28cvss 4.3epss 0.00
The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupa_user_admin() function. This makes it possible for unauthenticated attackers to update the plugins setting which controls access to the functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-22731MedJan 15, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in silverplugins217 Build Private Store For Woocommerce build-private-store-for-woocommerce allows Cross Site Request Forgery.This issue affects Build Private Store For Woocommerce: from n/a through <= 1.0.
CVE-2024-12605MedJan 9, 2025
risk 0.28cvss 4.3epss 0.00
The AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5. This is due to missing or incorrect nonce validation on the "al_scribe_content_data" actions. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-12206MedJan 9, 2025
risk 0.28cvss 4.3epss 0.00
The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-22563MedJan 7, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in faaiq Pretty Url pretty-url allows Cross Site Request Forgery.This issue affects Pretty Url: from n/a through <= 1.5.5.
CVE-2025-22562MedJan 7, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in kbowson Title Experiments Free wp-experiments-free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through <= 9.0.4.
CVE-2025-22503MedJan 7, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in digitalzoomstudio Admin debug wordpress – enable debug dzs-enable-debug allows Cross Site Request Forgery.This issue affects Admin debug wordpress – enable debug: from n/a through <= 1.0.13.
CVE-2025-22297MedJan 7, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in aipost AI WP Writer ai-wp-writer allows Cross Site Request Forgery.This issue affects AI WP Writer: from n/a through <= 3.8.4.4.
CVE-2024-49294MedJan 7, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Cross Site Request Forgery.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.4.3.
CVE-2024-38732MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2.
CVE-2024-38731MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7.
CVE-2024-37931MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1.
CVE-2024-37452MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2.
CVE-2024-37241MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.
CVE-2024-37237MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in fs-code FS Poster fs-poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through <= 6.5.8.
CVE-2024-38778MedJan 2, 2025
risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search fulltext-search.This issue affects WP Fast Total Search: from n/a through <= 1.69.234.