VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 150 of 286
  • CVE-2026-1508MedMar 10, 2026
    risk 0.28cvss 4.3epss 0.00

    The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack

  • CVE-2026-3770MedMar 8, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.

  • CVE-2026-1087MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the…

  • CVE-2026-1086MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated…

  • CVE-2026-1085MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the…

  • CVE-2026-1073MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it…

  • CVE-2026-2494MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline…

  • CVE-2026-1644MedMar 7, 2026
    risk 0.28cvss 4.3epss 0.00

    The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or…

  • CVE-2026-1128MedMar 6, 2026
    risk 0.28cvss 4.3epss 0.00

    The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack

  • CVE-2026-27090MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.

  • CVE-2026-25411MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22.

  • CVE-2026-25319MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.

  • CVE-2026-1455MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for…

  • CVE-2025-14167MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is…

  • CVE-2025-13438MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it…

  • CVE-2025-13413MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update…

  • CVE-2025-12172MedFeb 19, 2026
    risk 0.28cvss 4.3epss 0.00

    The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible…

  • CVE-2026-2658MedFeb 18, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is…

  • CVE-2026-2112MedFeb 18, 2026
    risk 0.28cvss 4.3epss 0.00

    The Dam Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce verification on the pending comment deletion action in the cleanup page. This makes it possible for unauthenticated attackers…

  • CVE-2026-2023MedFeb 18, 2026
    risk 0.28cvss 4.3epss 0.00

    The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This…