CWE-352— Cross-Site Request Forgery (CSRF)
8,719 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 63 of 175
- CVE-2021-4399MEDIUMCVSS 4.3EG 4.32023-07-01
The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchroni…
- CVE-2021-4400MEDIUMCVSS 4.3EG 4.32023-07-01
The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_s…
- CVE-2021-4401HIGHCVSS 8.8EG 8.82023-07-01
The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible f…
- CVE-2021-4402MEDIUMCVSS 4.3EG 4.32023-07-01
The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_sign…
- CVE-2021-4403MEDIUMCVSS 4.3EG 4.32023-07-01
The Remove Schema plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the validate() function. This makes it possible for unauthent…
- CVE-2021-44036HIGHCVSS 8.8EG 8.82021-11-19
Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import.
- CVE-2021-4404MEDIUMCVSS 4.3EG 4.32023-07-01
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possib…
- CVE-2021-4405MEDIUMCVSS 4.3EG 4.32023-07-01
The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it …
- CVE-2021-4407MEDIUMCVSS 4.3EG 4.32023-07-12
The Custom Banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.2 This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for…
- CVE-2021-4408MEDIUMCVSS 4.3EG 4.32023-07-12
The DW Question & Answer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.8. This is due to missing or incorrect nonce validation on the update_answer() function. This makes it possible…
- CVE-2021-4409MEDIUMCVSS 4.3EG 4.32023-07-12
The WooCommerce Etsy Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the etcpf_delete_feed() function. This makes…
- CVE-2021-4410MEDIUMCVSS 4.3EG 4.32023-07-12
The Qtranslate Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.18. This is due to missing or incorrect nonce validation on the save_postdata() function. This makes it possible for…
- CVE-2021-4411MEDIUMCVSS 4.3EG 4.32023-07-12
The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the wpep_download_transaction_in_exce…
- CVE-2021-44117HIGHCVSS 8.8EG 8.82022-06-10
A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.
- CVE-2021-4412MEDIUMCVSS 4.3EG 4.32023-07-12
The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5. This is due to missing or incorrect nonce validation on the save() and export() functions. This makes it possible for u…
- CVE-2021-44122HIGHCVSS 8.8EG 8.82022-01-26
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website wh…
- CVE-2021-4413MEDIUMCVSS 4.3EG 4.32023-07-12
The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the save() function. This makes it possib…
- CVE-2021-4414MEDIUMCVSS 4.3EG 4.32023-07-12
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.5. This is due to missing or incorrect nonce validation on the wcal_preview_emails() function. T…
- CVE-2021-4415MEDIUMCVSS 4.3EG 4.32023-07-12
The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.28 This is due to missing or incorrect nonce validation on the sunshine_products_quicksave_post() function. This…
- CVE-2021-4416MEDIUMCVSS 4.3EG 4.32023-07-12
The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the mpdf_admin_savepost() function. This makes it possible for un…
- CVE-2021-4417MEDIUMCVSS 5.4EG 5.42023-07-12
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the list…
- CVE-2021-4418MEDIUMCVSS 4.3EG 4.32023-10-20
The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unau…
- CVE-2021-4419MEDIUMCVSS 4.3EG 4.32023-07-12
The WP-Backgrounds Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the ino_save_data() function. This makes it possible fo…
- CVE-2021-4420MEDIUMCVSS 4.3EG 4.32023-07-12
The Sell Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.5. This is due to missing or incorrect nonce validation on the sell_media_process() function. This makes it possible for …
- CVE-2021-4421MEDIUMCVSS 4.3EG 4.32023-07-12
The Advanced Popups plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the metabox_popup_save() function. This makes it possible…
- CVE-2021-4422MEDIUMCVSS 4.3EG 4.32023-07-12
The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible …
- CVE-2021-44227HIGHCVSS 8.8EG 8.82021-12-02
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.
- CVE-2021-4423MEDIUMCVSS 4.3EG 4.32023-07-12
The RAYS Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the rsgd_insert_update() function. This makes it possible for u…
- CVE-2021-4424MEDIUMCVSS 4.3EG 4.32023-07-12
The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possib…
- CVE-2021-4425MEDIUMCVSS 4.3EG 4.32023-07-12
The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it pos…
- CVE-2021-4426MEDIUMCVSS 4.3EG 4.32023-07-12
The Absolute Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the metabox_review_save() function. This makes it possib…
- CVE-2021-4427MEDIUMCVSS 4.3EG 4.32023-07-12
The Vuukle Comments, Reactions, Share Bar, Revenue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.31. This is due to missing or incorrect nonce validation in the /admin/partials/free-…
- CVE-2021-44312HIGHCVSS 8.8EG 8.82022-03-30
An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page.
- CVE-2021-44321MEDIUMCVSS 5.0EG 5.02022-03-04
Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating …
- CVE-2021-44777MEDIUMCVSS 5.4EG 5.42022-01-19
Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).
- CVE-2021-44942MEDIUMCVSS 4.3EG 4.32021-12-14
glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklis…
- CVE-2021-45007MEDIUMCVSS 6.5EG 6.52022-02-20
Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more…
- CVE-2021-45017HIGHCVSS 8.8EG 8.82021-12-15
Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add M…
- CVE-2021-45268HIGHCVSS 8.8EG 8.82022-02-03
A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the v…
- CVE-2021-45326HIGHCVSS 8.8EG 8.82022-02-08
Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before 1.5.2 via API routes.This can be dangerous especially with state altering POST requests.
- CVE-2021-45785MEDIUMCVSS 6.5EG 6.52024-06-24
TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET …
- CVE-2021-45886HIGHCVSS 8.8EG 8.82022-03-13
An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) c…
- CVE-2021-46027MEDIUMCVSS 6.5EG 6.52022-01-19
mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the background blog management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, a blog tag will be added
- CVE-2021-46028MEDIUMCVSS 4.3EG 4.32022-01-20
In mblog <= 3.5.0 there is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted.
- CVE-2021-46080MEDIUMCVSS 4.8EG 4.82022-01-06
A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.
- CVE-2021-46147HIGHCVSS 8.8EG 8.82022-01-10
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.
- CVE-2021-46252MEDIUMCVSS 6.5EG 6.52022-02-15
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.
- CVE-2021-46366HIGHCVSS 8.8EG 8.82022-02-11
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
- CVE-2021-46398HIGHCVSS 8.8EG 8.82022-02-04
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An adm…
- CVE-2021-46426MEDIUMCVSS 6.1EG 6.12022-03-25
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →