CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 60 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-49237 | Hig | 0.48 | 7.4 | 0.00 | Jun 6, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor poeditor allows Path Traversal.This issue affects POEditor: from n/a through <= 0.9.10. | ||
| CVE-2025-28954 | Hig | 0.48 | 7.4 | 0.00 | Jun 6, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp backwp allows Path Traversal.This issue affects Backwp: from n/a through <= 2.0.2. | ||
| CVE-2025-47491 | Hig | 0.48 | 7.4 | 0.00 | May 7, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through <= 1.4.6. | ||
| CVE-2025-46439 | Hig | 0.48 | 7.4 | 0.00 | Apr 24, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Plugin Central plugin-central allows Path Traversal.This issue affects Plugin Central: from n/a through <= 2.5.1. | ||
| CVE-2025-39544 | Hig | 0.48 | 7.4 | 0.00 | Apr 16, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in sminozzi WP Tools wptools allows Path Traversal.This issue affects WP Tools: from n/a through <= 5.18. | ||
| CVE-2024-37940 | Hig | 0.48 | 7.4 | 0.00 | Jul 12, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in Seraphinite Solutions Seraphinite Accelerator (Full, premium).This issue affects Seraphinite Accelerator (Full, premium): from n/a through 2.21.13. | ||
| CVE-2024-34001 | Hig | 0.48 | 8.4 | 0.00 | May 31, 2024 | Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk. | ||
| CVE-2024-29499 | — | Hig | 0.48 | 7.4 | 0.00 | Mar 22, 2024 | Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2. | |
| CVE-2026-40925 | Hig | 0.47 | 8.3 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call… | ||
| CVE-2025-60535 | Hig | 0.47 | 7.3 | 0.00 | Oct 14, 2025 | A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request. | ||
| CVE-2025-47909 | Hig | 0.47 | 7.3 | 0.00 | Aug 29, 2025 | Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com… | ||
| CVE-2024-3593 | Hig | 0.47 | 7.2 | 0.00 | Jun 22, 2024 | The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible… | ||
| CVE-2024-5185 | Hig | 0.47 | 7.3 | 0.00 | May 29, 2024 | The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the… | ||
| CVE-2024-2395 | Hig | 0.47 | 7.3 | 0.00 | Mar 12, 2024 | The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-22424 | Hig | 0.47 | 8.3 | 0.00 | Jan 19, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same… | ||
| CVE-2022-28731 | — | Med | 0.47 | 6.5 | 0.56 | Aug 4, 2022 | A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page. | |
| CVE-2017-14362 | Hig | 0.47 | 7.3 | 0.01 | Dec 13, 2017 | Cross-Site Request Forgery vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability could be exploited to allow a Cross-Site Forgery attack. | ||
| CVE-2026-6075 | Hig | 0.46 | 8.1 | 0.00 | May 29, 2026 | The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated… | ||
| CVE-2026-39436 | Hig | 0.46 | 7.1 | 0.00 | May 25, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3. | ||
| CVE-2026-45430 | Hig | 0.46 | 7.1 | 0.00 | May 12, 2026 | The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks. |
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor poeditor allows Path Traversal.This issue affects POEditor: from n/a through <= 0.9.10.
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp backwp allows Path Traversal.This issue affects Backwp: from n/a through <= 2.0.2.
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through <= 1.4.6.
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Plugin Central plugin-central allows Path Traversal.This issue affects Plugin Central: from n/a through <= 2.5.1.
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in sminozzi WP Tools wptools allows Path Traversal.This issue affects WP Tools: from n/a through <= 5.18.
- risk 0.48cvss 7.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Seraphinite Solutions Seraphinite Accelerator (Full, premium).This issue affects Seraphinite Accelerator (Full, premium): from n/a through 2.21.13.
- risk 0.48cvss 8.4epss 0.00
Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.
- risk 0.48cvss 7.4epss 0.00
Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2.
- risk 0.47cvss 8.3epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call…
- risk 0.47cvss 7.3epss 0.00
A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.
- risk 0.47cvss 7.3epss 0.00
Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com…
- risk 0.47cvss 7.2epss 0.00
The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible…
- risk 0.47cvss 7.3epss 0.00
The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the…
- risk 0.47cvss 7.3epss 0.00
The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to…
- risk 0.47cvss 8.3epss 0.00
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same…
- risk 0.47cvss 6.5epss 0.56
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
- risk 0.47cvss 7.3epss 0.01
Cross-Site Request Forgery vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability could be exploited to allow a Cross-Site Forgery attack.
- risk 0.46cvss 8.1epss 0.00
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated…
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3.
- risk 0.46cvss 7.1epss 0.00
The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.