VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 146 of 286
  • CVE-2026-8418MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without…

  • CVE-2026-6452MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgames_syndicate_submenu() function. This makes it possible for…

  • CVE-2026-6401MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main…

  • CVE-2026-6400MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does…

  • CVE-2018-25337MedMay 17, 2026
    risk 0.28cvss 4.3epss 0.00

    Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /joomoc2/?route=account/edit and to modify…

  • CVE-2018-25321MedMay 17, 2026
    risk 0.28cvss 4.3epss 0.00

    TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi…

  • CVE-2026-8425MedMay 15, 2026
    risk 0.28cvss 4.3epss 0.00

    The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the _updateSettings function. This makes it possible for unauthenticated attackers to change the…

  • CVE-2020-37217MedMay 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with…

  • CVE-2026-7616MedMay 12, 2026
    risk 0.28cvss 4.3epss 0.00

    The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi_adminpage function. This makes it possible for unauthenticated attackers to update…

  • CVE-2026-7562MedMay 12, 2026
    risk 0.28cvss 4.3epss 0.00

    The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or…

  • CVE-2026-6932MedMay 12, 2026
    risk 0.28cvss 4.3epss 0.00

    The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated…

  • CVE-2026-6710MedMay 12, 2026
    risk 0.28cvss 4.3epss 0.00

    The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps_Admin_AppPage function. This makes it possible for unauthenticated…

  • CVE-2026-43877MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is…

  • CVE-2022-50955MedMay 10, 2026
    risk 0.28cvss 4.3epss 0.00

    WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the…

  • CVE-2021-47953MedMay 10, 2026
    risk 0.28cvss 4.3epss 0.00

    OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the…

  • CVE-2026-27415MedMay 7, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5.

  • CVE-2025-68604MedMay 7, 2026
    risk 0.28cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3.

  • CVE-2026-6701MedMay 5, 2026
    risk 0.28cvss 4.3epss 0.00

    The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject…

  • CVE-2026-6700MedMay 5, 2026
    risk 0.28cvss 4.3epss 0.00

    The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a…

  • CVE-2018-25310MedApr 29, 2026
    risk 0.28cvss 4.3epss 0.00

    VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with…