CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 61 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34403 | Hig | 0.46 | 8.1 | 0.00 | Apr 20, 2026 | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that… | ||
| CVE-2026-40581 | Hig | 0.46 | 8.1 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An… | ||
| CVE-2019-25693 | Hig | 0.46 | 7.1 | 0.00 | Apr 12, 2026 | ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the… | ||
| CVE-2026-39671 | Hig | 0.46 | 7.1 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3. | ||
| CVE-2026-39371 | Hig | 0.46 | 8.1 | 0.00 | Apr 7, 2026 | RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to… | ||
| CVE-2024-32537 | — | Hig | 0.46 | 7.1 | 0.00 | Mar 20, 2026 | Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4. | |
| CVE-2026-22323 | — | Hig | 0.46 | 7.1 | 0.00 | Mar 18, 2026 | A CSRF vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to trick authenticated users into sending unauthorized POST requests to the device by luring them to a malicious webpage. This can silently alter the device’s… | |
| CVE-2026-22355 | Hig | 0.46 | 7.1 | 0.00 | Jan 22, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3. | ||
| CVE-2025-14615 | Hig | 0.46 | 7.1 | 0.00 | Jan 14, 2026 | The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This… | ||
| CVE-2025-31054 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8. | ||
| CVE-2025-49028 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1. | ||
| CVE-2025-68885 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through <= 1.1.0. | ||
| CVE-2025-49354 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4. | ||
| CVE-2025-49353 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path noindex-by-path allows Stored XSS.This issue affects Noindex by Path: from n/a through <= 1.0. | ||
| CVE-2025-49345 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2. | ||
| CVE-2025-49344 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in reneade SensitiveTagCloud sensitive-tag-cloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through <= 1.4.1. | ||
| CVE-2025-49343 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in socialprofilr Social Profilr social-profilr-display-social-network-profile allows Stored XSS.This issue affects Social Profilr: from n/a through <= 1.0. | ||
| CVE-2025-49342 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in merzedes Custom Style custom-style allows Stored XSS.This issue affects Custom Style: from n/a through <= 1.0. | ||
| CVE-2025-59137 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5. | ||
| CVE-2025-49346 | Hig | 0.46 | 7.1 | 0.00 | Dec 31, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2. |
- risk 0.46cvss 8.1epss 0.00
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that…
- risk 0.46cvss 8.1epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…
- risk 0.46cvss 7.1epss 0.00
ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the…
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
- risk 0.46cvss 8.1epss 0.00
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to…
- risk 0.46cvss 7.1epss 0.00
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4.
- risk 0.46cvss 7.1epss 0.00
A CSRF vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to trick authenticated users into sending unauthorized POST requests to the device by luring them to a malicious webpage. This can silently alter the device’s…
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.
- risk 0.46cvss 7.1epss 0.00
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This…
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through <= 1.1.0.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path noindex-by-path allows Stored XSS.This issue affects Noindex by Path: from n/a through <= 1.0.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in reneade SensitiveTagCloud sensitive-tag-cloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through <= 1.4.1.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in socialprofilr Social Profilr social-profilr-display-social-network-profile allows Stored XSS.This issue affects Social Profilr: from n/a through <= 1.0.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in merzedes Custom Style custom-style allows Stored XSS.This issue affects Custom Style: from n/a through <= 1.0.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.