← Back
CWE-352

9,383 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,383)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Adtribes
1Product Feed Pro For Woocommerce
Jun 17, 2026
Apr 6, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in AdTribes.Io Product Feed PRO for WooCommerce plugin <= 12.4.4 versions.
1Wclovers
1Wcfm Membership
Jun 17, 2026
Apr 5, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticate...Show more
The WCFM Membership plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.10 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying membership details, changing renewal information, controlling membership approvals, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.Show less
1Cisco
2Evolved Programmable Network Manager
Prime Infrastructure
Jun 17, 2026
Apr 5, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduc...Show more
Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged information and conduct cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. For more information about these vulnerabilities, see the Details section of this advisory.Show less
1Wclovers
1Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
Jun 17, 2026
Apr 5, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthent...Show more
The WCFM Frontend Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.0 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying knowledge bases, modifying notices, modifying payments, managing vendors, capabilities, and so much more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link. There were hundreds of AJAX endpoints affected.Show less
1Wclovers
1Wcfm Marketplace
Jun 17, 2026
Apr 5, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticat...Show more
The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and more, via a forged request granted they can trick a site's administrator into performing an action such as clicking on a link.Show less
1Plugin
1Yourchannel
Jun 17, 2026
Apr 5, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the deleteLang function. This makes it pos...Show more
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the deleteLang function. This makes it possible for unauthenticated attackers to reset the plugin's quick language translation settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Plugin
1Yourchannel
Jun 17, 2026
Apr 5, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the saveLang function. This makes it possi...Show more
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the saveLang function. This makes it possible for unauthenticated attackers to change the plugin's quick language translation settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Plugin
1Yourchannel
Jun 17, 2026
Apr 5, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the save function. This makes it possible...Show more
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Plugin
1Yourchannel
Jun 17, 2026
Apr 5, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the clearKeys function. This makes it poss...Show more
The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the clearKeys function. This makes it possible for unauthenticated attackers to reset the plugin's channel settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Vitalpbx
1Vitalpbx
Jun 17, 2026
Apr 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF.
1Svelte
1Sveltekit
Jun 17, 2026
Apr 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP meth...Show more
SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`, `PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request.Show less
1Mm Wiki Project
1Mm Wiki
Jun 17, 2026
Apr 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.
1Nextcloud
1User Oidc
Jun 17, 2026
Apr 4, 2023
N/A· v4
5.4 MEDIUM· v3
N/A· v2
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could...Show more
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.Show less
1Peepso
1Peepso
Jun 17, 2026
Apr 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin <= 6.0.2.0 versions.
1Inisev
1Redirection
Jun 17, 2026
Apr 3, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.
1Bestwebsoft
1User Role
Jun 17, 2026
Apr 3, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.
1Jenkins
1Convert To Pipeline
Jun 17, 2026
Apr 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RC...Show more
A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).Show less
1Jenkins
1Octoperf Load Testing
Jun 17, 2026
Apr 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentia...Show more
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.Show less
1Jenkins
1Octoperf Load Testing
Jun 17, 2026
Apr 2, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtaine...Show more
A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.Show less
1Hcltech
1Hcl Compass
Jun 17, 2026
Apr 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious reque...Show more
HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious request. Show less