VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 145 of 286
  • CVE-2026-8938MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to…

  • CVE-2026-8903MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for…

  • CVE-2026-8708MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update…

  • CVE-2026-7614MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to…

  • CVE-2026-9236MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action…

  • CVE-2026-9582MedMay 26, 2026
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit…

  • CVE-2026-35220MedMay 26, 2026
    risk 0.28cvss 4.3epss 0.00

    Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.

  • CVE-2026-24554MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1.

  • CVE-2026-24597MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5.

  • CVE-2026-9486MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for…

  • CVE-2018-25363MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete…

  • CVE-2018-25354MedMay 23, 2026
    risk 0.28cvss 4.3epss 0.00

    Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with…

  • CVE-2018-25343MedMay 23, 2026
    risk 0.28cvss 4.3epss 0.00

    Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password…

  • CVE-2026-9303MedMay 23, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted…

  • CVE-2026-40864MedMay 22, 2026
    risk 0.28cvss 5.4epss 0.00

    JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The…

  • CVE-2026-4070MedMay 22, 2026
    risk 0.28cvss 4.3epss 0.00

    The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes…

  • CVE-2026-6405MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler…

  • CVE-2026-8424MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybb_api_settings' page. This makes it possible for unauthenticated attackers to reset…

  • CVE-2026-8423MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change…

  • CVE-2026-8419MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject…