VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 61 of 286
  • CVE-2026-34403HigApr 20, 2026
    risk 0.46cvss 8.1epss 0.00

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that…

  • CVE-2026-40581HigApr 18, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…

  • CVE-2019-25693HigApr 12, 2026
    risk 0.46cvss 7.1epss 0.00

    ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the…

  • CVE-2026-39671HigApr 8, 2026
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.

  • CVE-2026-39371HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to…

  • CVE-2024-32537HigMar 20, 2026
    risk 0.46cvss 7.1epss 0.00

    Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4.

  • CVE-2026-22323HigMar 18, 2026
    risk 0.46cvss 7.1epss 0.00

    A CSRF vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to trick authenticated users into sending unauthorized POST requests to the device by luring them to a malicious webpage. This can silently alter the device’s…

  • CVE-2026-22355HigJan 22, 2026
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS.This issue affects Simple XML Sitemap: from n/a through <= 1.3.

  • CVE-2025-14615HigJan 14, 2026
    risk 0.46cvss 7.1epss 0.00

    The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This…

  • CVE-2025-31054HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.

  • CVE-2025-49028HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.

  • CVE-2025-68885HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in page-carbajal Custom Post Status custom-post-status allows Stored XSS.This issue affects Custom Post Status: from n/a through <= 1.1.0.

  • CVE-2025-49354HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.

  • CVE-2025-49353HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path noindex-by-path allows Stored XSS.This issue affects Noindex by Path: from n/a through <= 1.0.

  • CVE-2025-49345HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.

  • CVE-2025-49344HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in reneade SensitiveTagCloud sensitive-tag-cloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through <= 1.4.1.

  • CVE-2025-49343HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in socialprofilr Social Profilr social-profilr-display-social-network-profile allows Stored XSS.This issue affects Social Profilr: from n/a through <= 1.0.

  • CVE-2025-49342HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in merzedes Custom Style custom-style allows Stored XSS.This issue affects Custom Style: from n/a through <= 1.0.

  • CVE-2025-59137HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.

  • CVE-2025-49346HigDec 31, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.