VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 60 of 286
  • CVE-2025-49237HigJun 6, 2025
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor poeditor allows Path Traversal.This issue affects POEditor: from n/a through <= 0.9.10.

  • CVE-2025-28954HigJun 6, 2025
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp backwp allows Path Traversal.This issue affects Backwp: from n/a through <= 2.0.2.

  • CVE-2025-47491HigMay 7, 2025
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget new-contact-form-widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through <= 1.4.6.

  • CVE-2025-46439HigApr 24, 2025
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Plugin Central plugin-central allows Path Traversal.This issue affects Plugin Central: from n/a through <= 2.5.1.

  • CVE-2025-39544HigApr 16, 2025
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in sminozzi WP Tools wptools allows Path Traversal.This issue affects WP Tools: from n/a through <= 5.18.

  • CVE-2024-37940HigJul 12, 2024
    risk 0.48cvss 7.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Seraphinite Solutions Seraphinite Accelerator (Full, premium).This issue affects Seraphinite Accelerator (Full, premium): from n/a through 2.21.13.

  • CVE-2024-34001HigMay 31, 2024
    risk 0.48cvss 8.4epss 0.00

    Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-29499HigMar 22, 2024
    risk 0.48cvss 7.4epss 0.00

    Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2.

  • CVE-2026-40925HigApr 21, 2026
    risk 0.47cvss 8.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call…

  • CVE-2025-60535HigOct 14, 2025
    risk 0.47cvss 7.3epss 0.00

    A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.

  • CVE-2025-47909HigAug 29, 2025
    risk 0.47cvss 7.3epss 0.00

    Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com…

  • CVE-2024-3593HigJun 22, 2024
    risk 0.47cvss 7.2epss 0.00

    The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible…

  • CVE-2024-5185HigMay 29, 2024
    risk 0.47cvss 7.3epss 0.00

    The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the…

  • CVE-2024-2395HigMar 12, 2024
    risk 0.47cvss 7.3epss 0.00

    The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to…

  • CVE-2024-22424HigJan 19, 2024
    risk 0.47cvss 8.3epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same…

  • CVE-2022-28731MedAug 4, 2022
    risk 0.47cvss 6.5epss 0.56

    A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.

  • CVE-2017-14362HigDec 13, 2017
    risk 0.47cvss 7.3epss 0.01

    Cross-Site Request Forgery vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability could be exploited to allow a Cross-Site Forgery attack.

  • CVE-2026-6075HigMay 29, 2026
    risk 0.46cvss 8.1epss 0.00

    The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated…

  • CVE-2026-39436HigMay 25, 2026
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3.

  • CVE-2026-45430HigMay 12, 2026
    risk 0.46cvss 7.1epss 0.00

    The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.