CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 153 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1051 | Med | 0.28 | 4.3 | 0.00 | Jan 20, 2026 | The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it… | ||
| CVE-2026-1169 | Med | 0.28 | 4.3 | 0.00 | Jan 19, 2026 | A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The… | ||
| CVE-2026-1153 | Med | 0.28 | 4.3 | 0.00 | Jan 19, 2026 | A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | ||
| CVE-2026-1142 | Med | 0.28 | 4.3 | 0.00 | Jan 19, 2026 | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for… | ||
| CVE-2025-14853 | — | Med | 0.28 | 4.3 | 0.00 | Jan 16, 2026 | The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify… | |
| CVE-2025-15376 | Med | 0.28 | 4.3 | 0.00 | Jan 14, 2026 | The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it… | ||
| CVE-2025-15377 | Med | 0.28 | 4.3 | 0.00 | Jan 14, 2026 | The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the… | ||
| CVE-2025-14389 | Med | 0.28 | 4.3 | 0.00 | Jan 14, 2026 | The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a… | ||
| CVE-2026-0493 | Med | 0.28 | 4.3 | 0.00 | Jan 13, 2026 | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger… | ||
| CVE-2025-14976 | Med | 0.28 | 5.4 | 0.00 | Jan 10, 2026 | The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing… | ||
| CVE-2025-14999 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers… | ||
| CVE-2025-14904 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update… | ||
| CVE-2025-14845 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers… | ||
| CVE-2025-14468 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID… | ||
| CVE-2025-14465 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated… | ||
| CVE-2025-14077 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin… | ||
| CVE-2025-13990 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create,… | ||
| CVE-2025-13527 | — | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's… | |
| CVE-2025-13521 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to… | ||
| CVE-2025-13520 | Med | 0.28 | 4.3 | 0.00 | Jan 7, 2026 | The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers… |
- risk 0.28cvss 4.3epss 0.00
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it…
- risk 0.28cvss 4.3epss 0.00
A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The…
- risk 0.28cvss 4.3epss 0.00
A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used.
- risk 0.28cvss 4.3epss 0.00
A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for…
- risk 0.28cvss 4.3epss 0.00
The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify…
- risk 0.28cvss 4.3epss 0.00
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it…
- risk 0.28cvss 4.3epss 0.00
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the…
- risk 0.28cvss 4.3epss 0.00
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a…
- risk 0.28cvss 4.3epss 0.00
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger…
- risk 0.28cvss 5.4epss 0.00
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing…
- risk 0.28cvss 4.3epss 0.00
The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers…
- risk 0.28cvss 4.3epss 0.00
The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update…
- risk 0.28cvss 4.3epss 0.00
The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers…
- risk 0.28cvss 4.3epss 0.00
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID…
- risk 0.28cvss 4.3epss 0.00
The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated…
- risk 0.28cvss 4.3epss 0.00
The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin…
- risk 0.28cvss 4.3epss 0.00
The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create,…
- risk 0.28cvss 4.3epss 0.00
The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's…
- risk 0.28cvss 4.3epss 0.00
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to…
- risk 0.28cvss 4.3epss 0.00
The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers…