CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 151 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1072 | Med | 0.28 | 4.3 | 0.00 | Feb 18, 2026 | The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the… | ||
| CVE-2026-1394 | Med | 0.28 | 4.3 | 0.00 | Feb 14, 2026 | The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the… | ||
| CVE-2026-1983 | — | Med | 0.28 | 4.3 | 0.00 | Feb 14, 2026 | The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to… | |
| CVE-2026-1215 | Med | 0.28 | 4.3 | 0.00 | Feb 11, 2026 | The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for… | ||
| CVE-2026-1082 | Med | 0.28 | 4.3 | 0.00 | Feb 7, 2026 | The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated… | ||
| CVE-2026-1785 | Med | 0.28 | 4.3 | 0.00 | Feb 6, 2026 | The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible… | ||
| CVE-2020-37145 | Med | 0.28 | 4.3 | 0.00 | Feb 5, 2026 | HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into… | ||
| CVE-2024-40685 | Med | 0.28 | 4.3 | 0.00 | Feb 4, 2026 | IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions. | ||
| CVE-2026-1835 | — | Med | 0.28 | 4.3 | 0.00 | Feb 4, 2026 | A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be… | |
| CVE-2026-25014 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2. | ||
| CVE-2026-24966 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery.This issue affects Copyscape Premium: from n/a through <= 1.4.1. | ||
| CVE-2026-24962 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9. | ||
| CVE-2026-24942 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through <= 5.1.1. | ||
| CVE-2026-20704 | Med | 0.28 | 4.3 | 0.00 | Feb 3, 2026 | Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | ||
| CVE-2026-1447 | Med | 0.28 | 5.4 | 0.00 | Feb 3, 2026 | The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update… | ||
| CVE-2026-0658 | Med | 0.28 | 4.3 | 0.00 | Feb 2, 2026 | The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | ||
| CVE-2026-1745 | Med | 0.28 | 4.3 | 0.00 | Feb 2, 2026 | A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | ||
| CVE-2026-1165 | Med | 0.28 | 4.3 | 0.00 | Jan 31, 2026 | The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in… | ||
| CVE-2026-1398 | Med | 0.28 | 4.3 | 0.00 | Jan 28, 2026 | The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP… | ||
| CVE-2026-1380 | Med | 0.28 | 4.3 | 0.00 | Jan 28, 2026 | The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the… |
- risk 0.28cvss 4.3epss 0.00
The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the…
- risk 0.28cvss 4.3epss 0.00
The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the…
- risk 0.28cvss 4.3epss 0.00
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to…
- risk 0.28cvss 4.3epss 0.00
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for…
- risk 0.28cvss 4.3epss 0.00
The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated…
- risk 0.28cvss 4.3epss 0.00
The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible…
- risk 0.28cvss 4.3epss 0.00
HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into…
- risk 0.28cvss 4.3epss 0.00
IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions.
- risk 0.28cvss 4.3epss 0.00
A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be…
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2.
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery.This issue affects Copyscape Premium: from n/a through <= 1.4.1.
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9.
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through <= 5.1.1.
- risk 0.28cvss 4.3epss 0.00
Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed.
- risk 0.28cvss 5.4epss 0.00
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update…
- risk 0.28cvss 4.3epss 0.00
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
- risk 0.28cvss 4.3epss 0.00
A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
- risk 0.28cvss 4.3epss 0.00
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in…
- risk 0.28cvss 4.3epss 0.00
The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP…
- risk 0.28cvss 4.3epss 0.00
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the…