VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 141 of 286
  • CVE-2024-11419MedDec 12, 2024
    risk 0.33cvss 6.1epss 0.00

    The Password for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the get3_init_admin_page() function. This makes it possible for unauthenticated attackers to…

  • CVE-2024-12004MedDec 11, 2024
    risk 0.33cvss 6.1epss 0.00

    The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for…

  • CVE-2024-11416MedNov 21, 2024
    risk 0.33cvss 6.1epss 0.00

    The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update…

  • CVE-2024-10726MedNov 21, 2024
    risk 0.33cvss 6.1epss 0.00

    The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to…

  • CVE-2024-48057MedNov 4, 2024
    risk 0.33cvss 6.1epss 0.00

    localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.

  • CVE-2024-7647MedAug 21, 2024
    risk 0.33cvss 6.1epss 0.00

    The OTA Sync Booking Engine Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing or incorrect nonce validation on the otasync_widget_settings_fnc() function. This makes it possible for…

  • CVE-2024-7850MedAug 20, 2024
    risk 0.33cvss 6.1epss 0.00

    The BP Profile Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.7.5. This is due to missing or incorrect nonce validation on the bps_ajax_field_selector(), bps_ajax_template_options(), and bps_ajax_field_row()…

  • CVE-2024-0660MedFeb 5, 2024
    risk 0.33cvss 6.1epss 0.00

    The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.7.2. This is due to missing or incorrect nonce validation on the…

  • CVE-2023-3414MedJul 26, 2023
    risk 0.33cvss 6.1epss 0.00

    A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins…

  • CVE-2023-2277MedJun 13, 2023
    risk 0.33cvss 6.1epss 0.00

    The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the…

  • CVE-2023-2405MedJun 3, 2023
    risk 0.33cvss 6.1epss 0.00

    The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.0. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify…

  • CVE-2023-2303MedJun 3, 2023
    risk 0.33cvss 6.1epss 0.00

    The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.5. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers…

  • CVE-2023-2301MedJun 3, 2023
    risk 0.33cvss 6.1epss 0.00

    The Contact Form Builder by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.3. This is due to missing nonce validation on the ls_parse_vcita_callback function. This makes it possible for unauthenticated attackers to…

  • CVE-2023-25170MedMar 13, 2023
    risk 0.33cvss 5.0epss 0.00

    PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable…

  • CVE-2022-2353MedJul 9, 2022
    risk 0.33cvss 6.1epss 0.01

    Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

  • CVE-2017-20062MedJun 20, 2022
    risk 0.33cvss 5.0epss 0.00

    A vulnerability was found in Elefant CMS 1.3.12-RC and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.…

  • CVE-2016-11084MedJun 19, 2020
    risk 0.33cvss 6.1epss 0.00

    An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

  • CVE-2019-13209MedSep 4, 2019
    risk 0.33cvss 6.1epss 0.01

    Rancher 2 through 2.2.4 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the…

  • CVE-2018-13407MedJul 6, 2018
    risk 0.32cvss 4.9epss 0.00

    A CSRF issue was discovered in Jirafeau before 3.4.1. The "delete file" feature on the admin panel is not protected against automated requests and could be abused.

  • CVE-2018-7305MedFeb 21, 2018
    risk 0.32cvss 4.9epss 0.00

    MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.