CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

CWE-345

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (4,570)

page 73 of 229

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2023-49855	Binarycarpenter Menu Bar Cart Icon For Woocommerce	Med	0.42	6.5	Dec 18, 2023	Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Menu Bar Cart Icon For WooCommerce By Binary Carpenter.This issue affects Menu Bar Cart Icon For WooCommerce By Binary Carpenter: from n/a through 1.49.3.
CVE-2023-34030	Really Simple Plugins Complianz	Med	0.42	6.5	Nov 30, 2023	Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Complianz, Really Simple Plugins Complianz Premium allows Cross-Site Request Forgery.This issue affects Complianz: from n/a through 6.4.5; Complianz Premium: from n/a through 6.4.7.
CVE-2023-5382	Funnelforms Funnelforms	Med	0.42	6.5	Nov 22, 2023	The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-28780	Yoast Yoast Local Seo	Med	0.42	6.5	Nov 18, 2023	Cross-Site Request Forgery (CSRF) vulnerability in Yoast Yoast Local Premium.This issue affects Yoast Local Premium: from n/a through 14.8.
CVE-2023-47650	Petersterling Add Local Avatar	Med	0.42	6.5	Nov 18, 2023	Cross-Site Request Forgery (CSRF) vulnerability in Peter Sterling Add Local Avatar.This issue affects Add Local Avatar: from n/a through 12.1.
CVE-2023-47664	Plainviewplugins Plainview Protect Passwords	Med	0.42	6.5	Nov 18, 2023	Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview Plainview Protect Passwords.This issue affects Plainview Protect Passwords: from n/a through 1.4.
CVE-2023-34169	Sakura Ts Webfonts For Sakura	Med	0.42	6.5	Nov 9, 2023	Cross-Site Request Forgery (CSRF) vulnerability in SAKURA Internet Inc. TS Webfonts for さくらのレンタルサーバ plugin <= 3.1.2 versions.
CVE-2022-46857	Sitealert Sitealert	Med	0.42	6.5	Jul 18, 2023	Cross-Site Request Forgery (CSRF) vulnerability in SiteAlert plugin <= 1.9.7 versions.
CVE-2023-35096	Wpexperts Mycred	Med	0.42	6.5	Jul 17, 2023	Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.
CVE-2023-3011	Reputeinfosystems Armember	Med	0.42	6.5	Jul 12, 2023	The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the arm_check_user_cap function. This makes it possible for unauthenticated attackers to perform multiple unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-2892	Wpeasycart Wp Easycart	Med	0.42	6.5	Jun 9, 2023	The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-2891	Wpeasycart Wp Easycart	Med	0.42	6.5	Jun 9, 2023	The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-33314	Pluginus Bear Woocommerce Bulk Editor And Products Manager Professional	Med	0.42	6.5	May 28, 2023	Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions.
CVE-2021-4333	Veronalabs Wp Statistics	Med	0.42	6.5	Mar 7, 2023	The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2022-44737	Tipsandtricks Hq All In One Wp Security \& Firewall	Med	0.42	6.5	Nov 22, 2022	Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.
CVE-2017-1000224	Embedplus Youtube	Med	0.42	6.5	Nov 17, 2017	CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
CVE-2017-1000085	Jenkins Project Subversion	Med	0.42	6.5	Oct 5, 2017	Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
CVE-2016-2965	IBM Sametime	Med	0.42	6.5	Aug 29, 2017	IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846.
CVE-2016-0356	IBM Sametime	Med	0.42	6.5	Aug 29, 2017	IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895.
CVE-2016-0355	IBM Sametime	Med	0.42	6.5	Aug 29, 2017	IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894.

CVE-2023-49855MedDec 18, 2023
Binarycarpenter
Menu Bar Cart Icon For Woocommerce
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Menu Bar Cart Icon For WooCommerce By Binary Carpenter.This issue affects Menu Bar Cart Icon For WooCommerce By Binary Carpenter: from n/a through 1.49.3.
CVE-2023-34030MedNov 30, 2023
Really Simple Plugins
Complianz
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugins Complianz, Really Simple Plugins Complianz Premium allows Cross-Site Request Forgery.This issue affects Complianz: from n/a through 6.4.5; Complianz Premium: from n/a through 6.4.7.
CVE-2023-5382MedNov 22, 2023
Funnelforms
Funnelforms
risk 0.42cvss 6.5epss 0.00
The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-28780MedNov 18, 2023
Yoast
Yoast Local Seo
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Yoast Yoast Local Premium.This issue affects Yoast Local Premium: from n/a through 14.8.
CVE-2023-47650MedNov 18, 2023
Petersterling
Add Local Avatar
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Peter Sterling Add Local Avatar.This issue affects Add Local Avatar: from n/a through 12.1.
CVE-2023-47664MedNov 18, 2023
Plainviewplugins
Plainview Protect Passwords
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in edward_plainview Plainview Protect Passwords.This issue affects Plainview Protect Passwords: from n/a through 1.4.
CVE-2023-34169MedNov 9, 2023
Sakura
Ts Webfonts For Sakura
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in SAKURA Internet Inc. TS Webfonts for さくらのレンタルサーバ plugin <= 3.1.2 versions.
CVE-2022-46857MedJul 18, 2023
Sitealert
Sitealert
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in SiteAlert plugin <= 1.9.7 versions.
CVE-2023-35096MedJul 17, 2023
Wpexperts
Mycred
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.
CVE-2023-3011MedJul 12, 2023
Reputeinfosystems
Armember
risk 0.42cvss 6.5epss 0.00
The ARMember plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.5. This is due to missing or incorrect nonce validation on the arm_check_user_cap function. This makes it possible for unauthenticated attackers to perform multiple unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-2892MedJun 9, 2023
Wpeasycart
Wp Easycart
risk 0.42cvss 6.5epss 0.00
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-2891MedJun 9, 2023
Wpeasycart
Wp Easycart
risk 0.42cvss 6.5epss 0.00
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-33314MedMay 28, 2023
Pluginus
Bear Woocommerce Bulk Editor And Products Manager Professional
risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions.
CVE-2021-4333MedMar 7, 2023
Veronalabs
Wp Statistics
risk 0.42cvss 6.5epss 0.00
The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2022-44737MedNov 22, 2022
Tipsandtricks Hq
All In One Wp Security \& Firewall
risk 0.42cvss 6.5epss 0.00
Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.
CVE-2017-1000224MedNov 17, 2017
Embedplus
Youtube
risk 0.42cvss 6.5epss 0.00
CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin
CVE-2017-1000085MedOct 5, 2017
Jenkins Project
Subversion
risk 0.42cvss 6.5epss 0.00
Subversion Plugin connects to a user-specified Subversion repository as part of form validation (e.g. to retrieve a list of tags). This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
CVE-2016-2965MedAug 29, 2017
IBM
Sametime
risk 0.42cvss 6.5epss 0.00
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846.
CVE-2016-0356MedAug 29, 2017
IBM
Sametime
risk 0.42cvss 6.5epss 0.00
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895.
CVE-2016-0355MedAug 29, 2017
IBM
Sametime
risk 0.42cvss 6.5epss 0.00
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894.