← Back
CWE-352

9,383 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,383)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Yzmcms
1Yzmcms
Jun 17, 2026
Jun 20, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Cross Site Request Forgery found in yzCMS v.2.0 allows a remote attacker to execute arbitrary code via the token check function.
1Zephyr Project Manager Project
1Zephyr Project Manager
Jun 17, 2026
Jun 19, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
1Ricoh
1Printer Driver Packager Nx
Jun 17, 2026
Jun 19, 2023
N/A· v4
7.8 HIGH· v3
N/A· v2
The driver installation package created by Printer Driver Packager NX v1.0.02 to v1.1.25 fails to detect its modification and may spawn an unexpected process with the administrative privilege. If a non-administrative use...Show more
The driver installation package created by Printer Driver Packager NX v1.0.02 to v1.1.25 fails to detect its modification and may spawn an unexpected process with the administrative privilege. If a non-administrative user modifies the driver installation package and runs it on the target PC, an arbitrary program may be executed with the administrative privilege.Show less
1Intrepidity Project
1Intrepidity
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability allows arbitrary file upload in Shingo Intrepidity plugin <= 1.5.1 versions.
1Digitalinspiration
1Google Xml Sitemap For Videos
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in Amit Agarwal Google XML Sitemap for Videos plugin <= 2.6.1 versions.
1Givewp
1Givewp
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1 versions.
1Hasthemes
1Ht Easy Ga4 (google Analytics 4)
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in HasThemes HT Easy GA4 ( Google Analytics 4 ) plugin <= 1.0.6 versions.
1Cformsii Project
1Cformsii
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in Oliver Seidel, Bastian Germann cformsII plugin <= 15.0.4 versions.
1Liferay
2Dxp
Liferay Portal
Jun 17, 2026
Jun 15, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary...Show more
Cross-site request forgery (CSRF) vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to execute arbitrary code in the scripting console via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.Show less
1Jenkins
1Digital.ai App Management Publisher
Jun 17, 2026
Jun 14, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
1Jenkins
1Jenkins
Jun 17, 2026
Jun 14, 2023
N/A· v4
8.0 HIGH· v3
N/A· v2
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked...Show more
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.Show less
1Inspireui
1Mstore Api
Jun 17, 2026
Jun 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update...Show more
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Inspireui
1Mstore Api
Jun 17, 2026
Jun 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to updat...Show more
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Inspireui
1Mstore Api
Jun 17, 2026
Jun 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to upd...Show more
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Inspireui
1Mstore Api
Jun 17, 2026
Jun 14, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to...Show more
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Auto Upload Images Project
1Auto Upload Images
Jun 17, 2026
Jun 13, 2023
N/A· v4
6.1 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in Ali Irani Auto Upload Images plugin <= 3.3 versions allows Stored Cross-Site Scripting (XSS).
1Siemens
1Q200 Firmware
Jun 17, 2026
Jun 13, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-0AA0) (All versions < V3.11), SICAM P850 (7...Show more
A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-2AA0) (All versions < V3.11), SICAM T (All versions < V3.0). The web interface of the affected devices are vulnerable to Cross-Site Request Forgery attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user.Show less
1Cimatti
1Contact Forms
Jun 17, 2026
Jun 13, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.7. This is due to missing or incorrect nonce validation on the function _accua...Show more
The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.7. This is due to missing or incorrect nonce validation on the function _accua_forms_form_edit_action. This makes it possible for unauthenticated attackers to delete forms created with this plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Wpdirectorykit
1Wp Directory Kit
Jun 17, 2026
Jun 13, 2023
N/A· v4
4.7 MEDIUM· v3
N/A· v2
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it...Show more
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Wpwhitesecurity
1Wp Activity Log
Jun 17, 2026
Jun 9, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it...Show more
The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less