CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 143 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48885 | Med | 0.30 | — | 0.00 | May 30, 2025 | application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to… | ||
| CVE-2025-31328 | Med | 0.30 | 4.6 | 0.00 | Apr 22, 2025 | SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact… | ||
| CVE-2023-4454 | Med | 0.30 | 5.7 | 0.00 | Aug 21, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3. | ||
| CVE-2023-22689 | Med | 0.30 | 4.6 | 0.00 | May 20, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3 versions. | ||
| CVE-2023-25569 | Med | 0.30 | 5.7 | 0.00 | Feb 20, 2023 | Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the… | ||
| CVE-2023-24428 | Med | 0.30 | 5.7 | 0.00 | Jan 26, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account. | ||
| CVE-2021-32730 | Med | 0.30 | 5.7 | 0.01 | Jul 1, 2021 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an… | ||
| CVE-2016-3004 | Med | 0.30 | 4.6 | 0.01 | Nov 30, 2016 | Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the set of available applications. | ||
| CVE-2024-47914 | — | Med | 0.29 | 4.5 | 0.00 | Nov 14, 2024 | VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF) | |
| CVE-2022-25576 | — | Med | 0.29 | 4.5 | 0.00 | Mar 24, 2022 | Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts. | |
| CVE-2021-22701 | Med | 0.29 | 4.5 | 0.00 | Feb 19, 2021 | A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when… | ||
| CVE-2020-36191 | — | Med | 0.29 | 4.5 | 0.01 | Jan 13, 2021 | JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account). | |
| CVE-2016-20074 | Med | 0.28 | 4.3 | 0.00 | Jun 15, 2026 | WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin… | ||
| CVE-2016-20067 | Med | 0.28 | 4.3 | 0.00 | Jun 15, 2026 | WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page… | ||
| CVE-2022-47150 | Med | 0.28 | 4.3 | 0.00 | Jun 11, 2026 | Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10. | ||
| CVE-2024-32110 | Med | 0.28 | 4.3 | 0.00 | Jun 11, 2026 | Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2. | ||
| CVE-2026-53739 | Med | 0.28 | 4.3 | 0.00 | Jun 10, 2026 | Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice… | ||
| CVE-2026-53736 | Med | 0.28 | 4.3 | 0.00 | Jun 10, 2026 | Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type. | ||
| CVE-2026-8940 | Med | 0.28 | 4.3 | 0.00 | Jun 9, 2026 | The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated… | ||
| CVE-2026-8909 | Med | 0.28 | 4.3 | 0.00 | Jun 9, 2026 | The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify… |
- risk 0.30cvss —epss 0.00
application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to…
- risk 0.30cvss 4.6epss 0.00
SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact…
- risk 0.30cvss 5.7epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.
- risk 0.30cvss 4.6epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links plugin <= 6.3 versions.
- risk 0.30cvss 5.7epss 0.00
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the…
- risk 0.30cvss 5.7epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.
- risk 0.30cvss 5.7epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an…
- risk 0.30cvss 4.6epss 0.01
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the set of available applications.
- risk 0.29cvss 4.5epss 0.00
VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF)
- risk 0.29cvss 4.5epss 0.00
Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.
- risk 0.29cvss 4.5epss 0.00
A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when…
- risk 0.29cvss 4.5epss 0.01
JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
- risk 0.28cvss 4.3epss 0.00
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin…
- risk 0.28cvss 4.3epss 0.00
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page…
- risk 0.28cvss 4.3epss 0.00
Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10.
- risk 0.28cvss 4.3epss 0.00
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2.
- risk 0.28cvss 4.3epss 0.00
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice…
- risk 0.28cvss 4.3epss 0.00
Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.
- risk 0.28cvss 4.3epss 0.00
The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated…
- risk 0.28cvss 4.3epss 0.00
The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify…