VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 217 of 286
  • CVE-2025-11976MedOct 25, 2025
    risk 0.21cvss 4.3epss 0.00

    The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce…

  • CVE-2025-10588MedOct 22, 2025
    risk 0.21cvss 4.3epss 0.00

    The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it…

  • CVE-2025-10700MedOct 16, 2025
    risk 0.21cvss 4.3epss 0.00

    The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the enable_unfiltered_files_upload function. This makes it possible…

  • CVE-2025-62245MedOct 10, 2025
    risk 0.21cvss 4.3epss 0.00

    Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to add and edit publication comments.

  • CVE-2025-10377MedSep 26, 2025
    risk 0.21cvss 4.3epss 0.00

    The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical…

  • CVE-2025-58199MedSep 22, 2025
    risk 0.21cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Fastly Fastly fastly allows Cross Site Request Forgery.This issue affects Fastly: from n/a through <= 1.2.28.

  • CVE-2025-9629MedSep 17, 2025
    risk 0.21cvss 4.3epss 0.00

    The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for…

  • CVE-2025-9627MedSep 11, 2025
    risk 0.21cvss 4.3epss 0.00

    The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl_plugin_options function. This makes it possible for unauthenticated attackers to modify…

  • CVE-2025-58975MedSep 9, 2025
    risk 0.21cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1.

  • CVE-2025-58611MedSep 3, 2025
    risk 0.21cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Tickera Tickera tickera-event-ticketing-system allows Cross Site Request Forgery.This issue affects Tickera: from n/a through <= 3.5.5.6.

  • CVE-2025-8491MedAug 13, 2025
    risk 0.21cvss 4.3epss 0.00

    The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated…

  • CVE-2025-8104MedJul 27, 2025
    risk 0.21cvss 4.3epss 0.00

    The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently…

  • CVE-2025-8103MedJul 26, 2025
    risk 0.21cvss 4.3epss 0.00

    The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.7. This is due to missing nonce validation in the handle_feedback_submission() function. This makes it possible for unauthenticated attackers…

  • CVE-2025-53193MedJun 27, 2025
    risk 0.21cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics burst-statistics allows Cross Site Request Forgery.This issue affects Burst Statistics: from n/a through <= 2.0.6.

  • CVE-2025-6059MedJun 14, 2025
    risk 0.21cvss 4.3epss 0.00

    The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated…

  • CVE-2025-5930MedJun 13, 2025
    risk 0.21cvss 4.3epss 0.00

    The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings…

  • CVE-2025-47886MedMay 14, 2025
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2025-2871MedApr 12, 2025
    risk 0.21cvss 4.3epss 0.00

    The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajax_dismiss_notice() function. This makes it possible for…

  • CVE-2025-31723MedApr 2, 2025
    risk 0.21cvss 4.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order.

  • CVE-2025-1314MedMar 20, 2025
    risk 0.21cvss 4.3epss 0.00

    The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it…