VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 52 of 286
  • CVE-2025-3064HigApr 8, 2025
    risk 0.50cvss 8.8epss 0.00

    The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated…

  • CVE-2024-7806HigMar 20, 2025
    risk 0.50cvss 8.8epss 0.00

    A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker…

  • CVE-2024-13913HigMar 14, 2025
    risk 0.50cvss 8.8epss 0.02

    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it…

  • CVE-2024-12322HigJan 7, 2025
    risk 0.50cvss 8.8epss 0.00

    The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers…

  • CVE-2024-12771HigDec 21, 2024
    risk 0.50cvss 8.8epss 0.00

    The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it…

  • CVE-2024-12293HigDec 17, 2024
    risk 0.50cvss 8.8epss 0.00

    The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the update_roles() function. This makes it possible for unauthenticated attackers to add or…

  • CVE-2024-55500HigDec 10, 2024
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.

  • CVE-2024-9990HigOct 29, 2024
    risk 0.50cvss 8.8epss 0.00

    The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any…

  • CVE-2024-6317HigJul 9, 2024
    risk 0.50cvss 8.8epss 0.01

    The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to…

  • CVE-2024-6316HigJul 9, 2024
    risk 0.50cvss 8.8epss 0.01

    The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and missing file type validation in the…

  • CVE-2024-5943HigJul 4, 2024
    risk 0.50cvss 8.8epss 0.00

    The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it…

  • CVE-2024-5343HigJun 19, 2024
    risk 0.50cvss 8.8epss 0.00

    The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.19. This is due to missing or incorrect nonce validation on the 'rbs_ajax_create_article' and 'rbs_ajax_reset_views'…

  • CVE-2024-38276HigJun 18, 2024
    risk 0.50cvss 8.8epss 0.00

    Incorrect CSRF token checks resulted in multiple CSRF risks.

  • CVE-2024-34008HigMay 31, 2024
    risk 0.50cvss 8.8epss 0.00

    Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-2115HigApr 5, 2024
    risk 0.50cvss 8.8epss 0.00

    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filter_users functions. This makes it possible for unauthenticated…

  • CVE-2024-29192HigApr 4, 2024
    risk 0.50cvss 8.8epss 0.00

    gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without…

  • CVE-2023-36237HigFeb 26, 2024
    risk 0.50cvss 8.8epss 0.00

    Cross Site Request Forgery vulnerability in Bagisto before v.1.5.1 allows an attacker to execute arbitrary code via a crafted HTML script.

  • CVE-2021-29050HigFeb 20, 2024
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to…

  • CVE-2024-22859HigFeb 1, 2024
    risk 0.50cvss 8.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client…

  • CVE-2023-50768HigDec 13, 2023
    risk 0.50cvss 8.8epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…