CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,854 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 126 of 178
- CVE-2024-48758MEDIUMCVSS 6.1EG 6.12024-10-16
dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the addPro parameter of the component doAdminAction.php which allows a remote attacker to execute arbitrary code
- CVE-2024-48846HIGHCVSS 7.1EG 7.12024-12-05
Cross Site Request Forgery vulnerabilities where found providing a potiential for exposing sensitive information or changing system settings. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v…
- CVE-2024-48913MEDIUMCVSS 5.9EG 5.92024-10-15
Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always cons…
- CVE-2024-48962HIGHCVSS 8.8EG 7.52024-11-18
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 1…
- CVE-2024-49220HIGHCVSS 7.1EG 7.12024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in Nikel Cookie Scanner cookie-scanner allows Cross Site Request Forgery.This issue affects Cookie Scanner: from n/a through <= 1.1.
- CVE-2024-49221HIGHCVSS 7.1EG 7.12024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in julian.weinert cSlider cslider allows Cross Site Request Forgery.This issue affects cSlider: from n/a through <= 2.4.2.
- CVE-2024-49223HIGHCVSS 7.1EG 7.12024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in shibulijack CJ Change Howdy cj-change-howdy allows Cross Site Request Forgery.This issue affects CJ Change Howdy: from n/a through <= 3.3.1.
- CVE-2024-49237HIGHCVSS 7.1EG 7.12024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in ahmeti Ahmeti Wp Timeline ahmeti-wp-timeline allows Stored XSS.This issue affects Ahmeti Wp Timeline: from n/a through <= 5.1.
- CVE-2024-49250MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Table of Contents Plus table-of-contents-plus allows Cross Site Request Forgery.This issue affects Table of Contents Plus: from n/a through <= 2408.
- CVE-2024-49272MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in wpweb Social Auto Poster social-auto-poster allows Cross Site Request Forgery.This issue affects Social Auto Poster: from n/a through <= 5.3.15.
- CVE-2024-49274MEDIUMCVSS 5.4EG 5.42024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Infomaniak Network VOD Infomaniak vod-infomaniak allows Cross Site Request Forgery.This issue affects VOD Infomaniak: from n/a through <= 1.5.7.
- CVE-2024-49275MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Northern Beaches Websites IdeaPush ideapush allows Cross Site Request Forgery.This issue affects IdeaPush: from n/a through <= 8.69.
- CVE-2024-4929MEDIUMCVSS 4.3EG 4.32024-05-16
A vulnerability classified as problematic has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/admin/ajax.php?action=save_user. The manipulation leads to …
- CVE-2024-49290MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
- CVE-2024-49294MEDIUMCVSS 4.3EG 4.32025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Cross Site Request Forgery.This issue affects Bus Ticket Booking with Seat Reservati…
- CVE-2024-49304MEDIUMCVSS 5.4EG 5.42024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Stored XSS.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.5.7.
- CVE-2024-49306MEDIUMCVSS 5.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Content Copy Protection & No Right Click wp-content-copy-protector allows Cross Site Request Forgery.This issue affects WP Content Copy Protection & No Right Click: from n/a thro…
- CVE-2024-49313HIGHCVSS 7.1EG 7.12024-10-17
Cross-Site Request Forgery (CSRF) vulnerability in rudestan VKontakte Wall Post vkontakte-wall-post allows Stored XSS.This issue affects VKontakte Wall Post: from n/a through <= 2.0.
- CVE-2024-49335HIGHCVSS 7.1EG 7.12024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in sh4d0w28 GoogleDrive folder list googledrive-folder-list allows Stored XSS.This issue affects GoogleDrive folder list: from n/a through <= 2.2.2.
- CVE-2024-49340MEDIUMCVSS 4.3EG 4.32024-10-16
IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2024-49605HIGHCVSS 7.1EG 7.12024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Stefan Nour AVChat Video Chat avchat-3 allows Stored XSS.This issue affects AVChat Video Chat: from n/a through <= 2.2.
- CVE-2024-49615HIGHCVSS 8.2EG 8.22024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Henrique Rodrigues SafetyForms safetymails-forms allows Blind SQL Injection.This issue affects SafetyForms: from n/a through <= 1.0.0.
- CVE-2024-49617HIGHCVSS 8.2EG 8.22024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in anciwasim Back Link Tracker back-link-tracker allows Blind SQL Injection.This issue affects Back Link Tracker: from n/a through <= 1.0.0.
- CVE-2024-49621HIGHCVSS 8.2EG 8.22024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari APA Register Newsletter Form apa-register-newsletter-form allows SQL Injection.This issue affects APA Register Newsletter Form: from n/a through <= 1.0.0.
- CVE-2024-49622HIGHCVSS 8.2EG 8.22024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in aatmaadhikari Apa Banner Slider apa-banner-slider allows SQL Injection.This issue affects Apa Banner Slider: from n/a through <= 1.0.0.
- CVE-2024-49627MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Noor Alam WordPress Image SEO allows Cross Site Request Forgery.This issue affects WordPress Image SEO: from n/a through 1.1.4.
- CVE-2024-49628MEDIUMCVSS 4.3EG 4.32024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in whiletrue Most And Least Read Posts Widget most-and-least-read-posts-widget allows Cross Site Request Forgery.This issue affects Most And Least Read Posts Widget: from n/a through <= 2.5.1…
- CVE-2024-49629HIGHCVSS 7.1EG 7.12024-10-20
Cross-Site Request Forgery (CSRF) vulnerability in Fahad Mahmood Endless Posts Navigation endless-posts-navigation allows Stored XSS.This issue affects Endless Posts Navigation: from n/a through <= 2.2.7.
- CVE-2024-49672HIGHCVSS 7.1EG 7.12024-10-29
Cross-Site Request Forgery (CSRF) vulnerability in giffordcheung Google Docs RSVP google-docs-rsvp-guestlist allows Stored XSS.This issue affects Google Docs RSVP: from n/a through <= 2.0.1.
- CVE-2024-49674CRITICALCVSS 9.6EG 9.62024-10-31
Cross-Site Request Forgery (CSRF) vulnerability in lukashuser EKC Tournament Manager ekc-tournament-manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through <= 2.2.1.
- CVE-2024-49685MEDIUMCVSS 5.4EG 5.42024-10-31
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Custom Twitter Feeds (Tweets Widget) custom-twitter-feeds allows Cross Site Request Forgery.This issue affects Custom Twitter Feeds (Tweets Widget): from n/a through <= 2.2.3.
- CVE-2024-4969MEDIUMCVSS 4.3EG 4.32024-06-21
The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack
- CVE-2024-49779MEDIUMCVSS 4.3EG 4.32025-02-20
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to bypass security restrictions, caused by improper validation and management of authentication cookies. By modifying the CSRF token and Session Id cookie …
- CVE-2024-49794MEDIUMCVSS 4.3EG 4.32025-02-06
IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2024-49795MEDIUMCVSS 4.3EG 4.32025-02-06
IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2024-4994HIGHCVSS 8.1EG 8.12025-06-20
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's Grap…
- CVE-2024-5003MEDIUMCVSS 5.4EG 5.42024-06-07
The WP Stacker WordPress plugin through 1.8.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
- CVE-2024-5028MEDIUMCVSS 6.5EG 6.52024-07-13
The CM WordPress Search And Replace Plugin WordPress plugin before 1.3.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
- CVE-2024-5029MEDIUMCVSS 4.8EG 4.82024-11-21
The CM Table Of Contents WordPress plugin before 1.2.4 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a…
- CVE-2024-5030LOWCVSS 3.8EG 3.82024-11-18
The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a CSRF attack
- CVE-2024-5033MEDIUMCVSS 5.9EG 5.92024-07-13
The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
- CVE-2024-5034HIGHCVSS 8.8EG 8.82024-07-13
The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
- CVE-2024-50466MEDIUMCVSS 4.3EG 4.32024-10-29
Cross-Site Request Forgery (CSRF) vulnerability in DarkMySite DarkMySite – Advanced Dark Mode Plugin for WordPress darkmysite allows Cross Site Request Forgery.This issue affects DarkMySite – Advanced Dark Mode Plugin for WordPress: fr…
- CVE-2024-50533HIGHCVSS 7.1EG 7.12024-11-19
Cross-Site Request Forgery (CSRF) vulnerability in David Garcia Domain Sharding domain-sharding allows Stored XSS.This issue affects Domain Sharding: from n/a through <= 1.2.1.
- CVE-2024-50534HIGHCVSS 7.1EG 7.12024-11-19
Cross-Site Request Forgery (CSRF) vulnerability in techdabang World Prayer Time world-prayer-time allows Stored XSS.This issue affects World Prayer Time: from n/a through <= 2.0.
- CVE-2024-50705HIGHCVSS 7.1EG 7.12025-03-04
Unauthenticated reflected cross-site scripting (XSS) vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary scripts via the page parameter.
- CVE-2024-5076HIGHCVSS 8.8EG 8.82024-07-13
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
- CVE-2024-5077MEDIUMCVSS 6.8EG 6.82024-07-13
The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
- CVE-2024-5081MEDIUMCVSS 6.1EG 6.12024-08-05
The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
- CVE-2024-50858HIGHCVSS 8.8EG 8.82025-01-14
Multiple endpoints in GestioIP v3.5.7 are vulnerable to Cross-Site Request Forgery (CSRF). An attacker can execute actions via the admin's browser by hosting a malicious URL, leading to data modification, deletion, or exfiltration.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →