VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 143 of 286
  • CVE-2025-48885MedMay 30, 2025
    risk 0.30cvss epss 0.00

    application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…

  • CVE-2025-31328MedApr 22, 2025
    risk 0.30cvss 4.6epss 0.00

    SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact…

  • CVE-2023-4454MedAug 21, 2023
    risk 0.30cvss 5.7epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.

  • CVE-2023-22689MedMay 20, 2023
    risk 0.30cvss 4.6epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3 versions.

  • CVE-2023-25569MedFeb 20, 2023
    risk 0.30cvss 5.7epss 0.00

    Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the…

  • CVE-2023-24428MedJan 26, 2023
    risk 0.30cvss 5.7epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2021-32730MedJul 1, 2021
    risk 0.30cvss 5.7epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an…

  • CVE-2016-3004MedNov 30, 2016
    risk 0.30cvss 4.6epss 0.01

    Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the set of available applications.

  • CVE-2024-47914MedNov 14, 2024
    risk 0.29cvss 4.5epss 0.00

    VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF)

  • CVE-2022-25576MedMar 24, 2022
    risk 0.29cvss 4.5epss 0.00

    Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.

  • CVE-2021-22701MedFeb 19, 2021
    risk 0.29cvss 4.5epss 0.00

    A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when…

  • CVE-2020-36191MedJan 13, 2021
    risk 0.29cvss 4.5epss 0.01

    JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

  • CVE-2016-20074MedJun 15, 2026
    risk 0.28cvss 4.3epss 0.00

    WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin…

  • CVE-2016-20067MedJun 15, 2026
    risk 0.28cvss 4.3epss 0.00

    WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page…

  • CVE-2022-47150MedJun 11, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10.

  • CVE-2024-32110MedJun 11, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2.

  • CVE-2026-53739MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice…

  • CVE-2026-53736MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.

  • CVE-2026-8940MedJun 9, 2026
    risk 0.28cvss 4.3epss 0.00

    The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated…

  • CVE-2026-8909MedJun 9, 2026
    risk 0.28cvss 4.3epss 0.00

    The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify…