VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 46 of 286
  • CVE-2025-8592HigAug 21, 2025
    risk 0.53cvss 8.1epss 0.00

    The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This makes it possible for unauthenticated attackers to install…

  • CVE-2025-52797HigAug 14, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in josepsitjar StoryMap wp-storymap allows SQL Injection.This issue affects StoryMap: from n/a through <= 2.1.

  • CVE-2025-49555HigAug 12, 2025
    risk 0.53cvss 8.1epss 0.01

    Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing…

  • CVE-2025-7667HigJul 15, 2025
    risk 0.53cvss 8.1epss 0.00

    The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to…

  • CVE-2025-28986HigJun 6, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue affects Epicwin Plugin: from n/a through <= 1.5.

  • CVE-2025-46458HigMay 23, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects occupancyplan: from n/a through <= 1.0.3.0.

  • CVE-2025-47533HigMay 7, 2025
    risk 0.53cvss 8.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design Graphina graphina-elementor-charts-and-graphs allows PHP Local File Inclusion.This issue affects Graphina: from n/a through <= 3.0.4.

  • CVE-2025-46241HigApr 22, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows SQL Injection.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.92.

  • CVE-2025-26748HigApr 15, 2025
    risk 0.53cvss 8.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in looswebstudio Arkhe arkhe allows PHP Local File Inclusion.This issue affects Arkhe: from n/a through <= 3.12.0.

  • CVE-2025-32547HigApr 9, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in gtlwpdev All push notification for WP all-push-notification allows Blind SQL Injection.This issue affects All push notification for WP: from n/a through <= 1.5.3.

  • CVE-2025-30788HigMar 27, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Eli EZ SQL Reports Shortcode Widget and DB Backup elisqlreports allows SQL Injection.This issue affects EZ SQL Reports Shortcode Widget and DB Backup: from n/a through <= 5.25.08.

  • CVE-2025-30783HigMar 27, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in jgwhite33 WP Google Review Slider wp-google-places-review-slider allows SQL Injection.This issue affects WP Google Review Slider: from n/a through <= 16.0.

  • CVE-2024-8065HigMar 20, 2025
    risk 0.53cvss 8.1epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and…

  • CVE-2024-10906HigMar 20, 2025
    risk 0.53cvss 8.1epss 0.00

    In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server…

  • CVE-2020-10095HigFeb 19, 2025
    risk 0.53cvss 8.1epss 0.00

    Various Lexmark devices have CSRF that allows an attacker to modify the configuration of the device.

  • CVE-2024-13684HigFeb 18, 2025
    risk 0.53cvss 8.1epss 0.00

    The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the reset_db_page() function. This makes it possible for unauthenticated attackers to reset several…

  • CVE-2024-56903HigFeb 3, 2025
    risk 0.53cvss 8.1epss 0.00

    Geovision GV-ASWeb with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET against critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack.

  • CVE-2024-57373HigJan 27, 2025
    risk 0.53cvss 8.1epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability in LifestyleStore v1.0 allows a remote attacker to execute unauthorized actions on behalf of an authenticated user, potentially leading to account modifications or data compromise.

  • CVE-2024-53829HigJan 21, 2025
    risk 0.53cvss 8.2epss 0.00

    CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same…

  • CVE-2025-22347HigJan 7, 2025
    risk 0.53cvss 8.2epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in bannersky BSK Forms Blacklist bsk-gravityforms-blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through <= 3.9.