VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 148 of 286
  • CVE-2025-53444MedApr 15, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a through < 5.1.11.

  • CVE-2026-4002MedApr 15, 2026
    risk 0.28cvss 4.3epss 0.00

    The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajax_revoke_token() function which handles the 'petjeaf_disconnect' AJAX action. The function performs…

  • CVE-2026-6293MedApr 15, 2026
    risk 0.28cvss 4.3epss 0.00

    The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization…

  • CVE-2026-40041MedApr 13, 2026
    risk 0.28cvss 4.3epss 0.00

    Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login,…

  • CVE-2019-25708MedApr 12, 2026
    risk 0.28cvss 4.3epss 0.00

    Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint…

  • CVE-2026-6109MedApr 12, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request…

  • CVE-2026-1924MedApr 10, 2026
    risk 0.28cvss 4.3epss 0.00

    The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to…

  • CVE-2025-70811MedApr 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality.

  • CVE-2026-5918MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-0811MedApr 8, 2026
    risk 0.28cvss 5.4epss 0.00

    The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for…

  • CVE-2026-39618MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.

  • CVE-2026-4141MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes…

  • CVE-2026-35181MedApr 6, 2026
    risk 0.28cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via…

  • CVE-2026-35180MedApr 6, 2026
    risk 0.28cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes.…

  • CVE-2019-25682MedApr 5, 2026
    risk 0.28cvss 4.3epss 0.00

    CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the…

  • CVE-2026-5572MedApr 5, 2026
    risk 0.28cvss 4.3epss 0.00

    A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be…

  • CVE-2016-20054MedApr 4, 2026
    risk 0.28cvss 4.3epss 0.00

    Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user_manipulate and…

  • CVE-2026-34749MedApr 1, 2026
    risk 0.28cvss 5.4epss 0.00

    Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site…

  • CVE-2026-3191MedMar 31, 2026
    risk 0.28cvss 5.4epss 0.00

    The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to…

  • CVE-2026-4971MedMar 27, 2026
    risk 0.28cvss 4.3epss 0.00

    A weakness has been identified in SourceCodester Note Taking App up to 1.0. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be…