CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,840 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 60 of 177
- CVE-2021-34620HIGHCVSS 8.8EG 8.82021-07-07
The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administr…
- CVE-2021-34628HIGHCVSS 8.8EG 8.82021-08-02
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scri…
- CVE-2021-34631HIGHCVSS 8.8EG 8.82021-08-05
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.…
- CVE-2021-34632HIGHCVSS 8.8EG 8.82021-08-02
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.
- CVE-2021-34633HIGHCVSS 8.8EG 8.82021-08-05
The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including …
- CVE-2021-34634HIGHCVSS 8.8EG 8.82021-08-05
The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and incl…
- CVE-2021-34636HIGHCVSS 8.8EG 8.82021-09-28
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allo…
- CVE-2021-34637HIGHCVSS 8.8EG 8.82021-08-02
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.
- CVE-2021-34645HIGHCVSS 8.8EG 8.82021-08-19
The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arb…
- CVE-2021-34661MEDIUMCVSS 6.1EG 6.12021-08-09
The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, i…
- CVE-2021-34743MEDIUMCVSS 4.3EG 4.32021-10-21
A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express c…
- CVE-2021-34773MEDIUMCVSS 6.5EG 6.52021-11-04
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unified Communications Manager IM &…
- CVE-2021-35242HIGHCVSS 8.3EG 8.32021-12-06
Serv-U server responds with valid CSRFToken when the request contains only Session.
- CVE-2021-35343MEDIUMCVSS 4.3EG 4.32021-08-03
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.Ajax.php in SeedDMS v5.1.x<5.1.23 and v6.0.x<6.0.16 allows a remote attacker to edit document name without victim's knowledge, by enticing an authenticated user to visit an atta…
- CVE-2021-35491HIGHCVSS 8.1EG 8.12021-10-05
A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not imple…
- CVE-2021-36443HIGHCVSS 8.8EG 8.82023-02-03
Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.
- CVE-2021-36444HIGHCVSS 8.8EG 8.82023-02-03
Cross Site Request Forgery (CSRF) vulnerability in imcat 5.4 allows remote attackers to gain escalated privileges via flaws one time token generation on the add administrator page.
- CVE-2021-36542MEDIUMCVSS 4.3EG 4.32021-08-03
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.LockDocument.php in SeedDMS v5.1.x<5.1.23 and v6.0.x <6.0.16 allows a remote attacker to lock any document without victim's knowledge, by enticing an authenticated user to visit…
- CVE-2021-36543MEDIUMCVSS 4.3EG 4.32021-08-03
Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.UnlockDocument.php in SeedDMS v5.1.x <5.1.23 and v6.0.x <6.0.16 allows a remote attacker to unlock any document without victim's knowledge, by enticing an authenticated user to …
- CVE-2021-36569HIGHCVSS 8.8EG 8.82023-02-03
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /users/delete/2.
- CVE-2021-36570HIGHCVSS 8.8EG 8.82023-02-03
Cross Site Request Forgery vulnerability in FUEL-CMS 1.4.13 allows remote attackers to run arbitrary code via post ID to /permissions/delete/2---.
- CVE-2021-3683MEDIUMCVSS 6.5EG 5.42021-11-13
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-36850MEDIUMCVSS 5.4EG 5.42021-10-04
Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media…
- CVE-2021-36852MEDIUMCVSS 4.3EG 8.02022-08-22
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
- CVE-2021-36854MEDIUMCVSS 5.4EG 8.82022-09-30
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
- CVE-2021-36855MEDIUMCVSS 6.1EG 6.12022-09-30
Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in Booking Ultra Pro plugin <= 1.1.4 at WordPress.
- CVE-2021-36861MEDIUMCVSS 5.4EG 4.32022-08-05
Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.
- CVE-2021-36876MEDIUMCVSS 5.4EG 5.42021-09-27
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages.
- CVE-2021-36877MEDIUMCVSS 4.3EG 4.32021-09-27
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles.
- CVE-2021-36878MEDIUMCVSS 4.3EG 4.32021-09-27
Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.
- CVE-2021-36886MEDIUMCVSS 6.5EG 8.82021-12-22
Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9).
- CVE-2021-36887MEDIUMCVSS 6.1EG 6.12021-12-20
Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarte…
- CVE-2021-36890MEDIUMCVSS 4.3EG 4.32022-06-02
Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.
- CVE-2021-36891MEDIUMCVSS 5.4EG 4.32022-06-15
Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.
- CVE-2021-36908HIGHCVSS 8.8EG 8.82021-11-18
Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.
- CVE-2021-36914MEDIUMCVSS 6.1EG 6.12022-04-12
Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS) in CalderaWP License Manager (WordPress plugin) <= 1.2.11.
- CVE-2021-36915MEDIUMCVSS 4.2EG 4.32022-10-11
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.
- CVE-2021-37198HIGHCVSS 8.8EG 8.82022-01-11
A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used)…
- CVE-2021-37201HIGHCVSS 8.8EG 8.82021-09-14
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate the SINEC NMS configu…
- CVE-2021-37234MEDIUMCVSS 6.5EG 6.52023-02-03
Incorrect Access Control vulnerability in Modern Honey Network commit 0abf0db9cd893c6d5c727d036e1f817c02de4c7b allows remote attackers to view sensitive information via crafted PUT request to Web API.
- CVE-2021-3728MEDIUMCVSS 6.5EG 6.52021-08-23
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3729MEDIUMCVSS 4.3EG 4.32021-08-23
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3730MEDIUMCVSS 6.5EG 6.52021-08-23
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3734HIGHCVSS 8.8EG 6.52021-08-26
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
- CVE-2021-37366HIGHCVSS 8.8EG 8.82021-08-10
CTparental before 4.45.03 is vulnerable to cross-site request forgery (CSRF) in the CTparental admin panel. By combining CSRF with XSS, an attacker can trick the administrator into clicking a link that cancels the filtering for all standar…
- CVE-2021-37381HIGHCVSS 8.8EG 8.82021-08-06
Southsoft GMIS 5.0 is vulnerable to CSRF attacks. Attackers can access other users' private information such as photos through CSRF. For example: any student's photo information can be accessed through /gmis/(S([1]))/student/grgl/PotoImage…
- CVE-2021-37725HIGHCVSS 8.1EG 8.12021-09-07
A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.8.0.1, 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.15. Ar…
- CVE-2021-3775MEDIUMCVSS 5.4EG 4.32021-11-13
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3776MEDIUMCVSS 5.4EG 5.42021-11-13
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3819HIGHCVSS 8.8EG 8.82021-09-27
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →