← Back
CWE-352

9,364 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,364)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Devscred
1Exclusive Addons For Elementor
Jun 17, 2026
Feb 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in DevsCred Exclusive Addons Elementor plugin <= 2.6.1 versions.
1Magneticlab
1Homepage Pop Up
Jun 17, 2026
Feb 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in Magneticlab Sàrl Homepage Pop-up plugin <= 1.2.5 versions.
1Sunshinephotocart
1Sunshine Photo Cart
Jun 17, 2026
Feb 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions.
1Standalonetech
1Terawallet
Jun 17, 2026
Feb 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) vulnerability in TeraWallet – For WooCommerce plugin <= 1.3.24 versions.
1Squidex.io
1Squidex
Jun 17, 2026
Feb 2, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.
1Clockwork Web Project
1Clockwork Web
Jun 17, 2026
Feb 2, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.
1Joomla
1Joomla
Jun 17, 2026
Feb 1, 2023
N/A· v4
6.3 MEDIUM· v3
N/A· v2
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
1Vmware
1Vrealize Operations
Jun 17, 2026
Feb 1, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user.
1Schneider Electric
1Conext Combox Firmware
Jun 17, 2026
Jan 30, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could cause system’s configurations override and cause a reboot loop when the product suffers from POST-Based Cross-Site Request Forgery (CSRF). Affe...Show more
A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that could cause system’s configurations override and cause a reboot loop when the product suffers from POST-Based Cross-Site Request Forgery (CSRF). Affected Products: Conext™ ComBox (All Versions)Show less
1Chained Products Project
1Chained Products
Jun 17, 2026
Jan 30, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set ar...Show more
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no'Show less
1Armandofiore
1Fl3r Feelbox
Jun 17, 2026
Jan 30, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts &...Show more
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts & lydl_poststimestamp DB tablesShow less
1Armandofiore
1Fl3r Feelbox
Jun 17, 2026
Jan 30, 2023
N/A· v4
6.1 MEDIUM· v3
N/A· v2
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS paylo...Show more
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attackShow less
1Pandorafms
1Pandora Fms
Jun 17, 2026
Jan 27, 2023
N/A· v4
5.4 MEDIUM· v3
N/A· v2
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, i...Show more
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.Show less
1Thingsforrestaurants
1Quick Restaurant Menu
Jun 17, 2026
Jan 27, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it...Show more
The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to update menu items, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Openmage
1Magento
Jun 17, 2026
Jan 27, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vul...Show more
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.Show less
1Jenkins
1Bearychat
Jun 17, 2026
Jan 26, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL.
1Jenkins
1Keycloak Authentication
Jun 17, 2026
Jan 26, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account.
1Jenkins
1Testquality Updater
Jun 17, 2026
Jan 26, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.
1Jenkins
1Rabbitmq Consumer
Jun 17, 2026
Jan 26, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.
1Jenkins
1Openid
Jun 17, 2026
Jan 26, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.