CWE-352: Cross-Site Request Forgery (CSRF)
The web application does not sufficiently verify that a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Yearly Trend
Top Affected Vendors
All Cross-Site Request Forgery (CSRF) CVEs (2,348)
Rockwell Automation Enhanced HIM software has insufficient API protection with incorrect CORS settings, making it vulnerable to CSRF attacks. An attac...
Jul 11, 2023This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in XWiki Platform's REST API that allows attackers to execute arbitrary code when...
Jul 10, 2023HCL Compass has a Cross-Origin Resource Sharing (CORS) vulnerability that allows attackers to trick authenticated users into making unauthorized reque...
Apr 2, 2023This vulnerability in the Post Snippets WordPress plugin allows attackers to trick logged-in administrators into importing malicious code snippets wit...
Feb 28, 2022Kashipara Bus Ticket Reservation System v1.0 has a CSRF vulnerability in /deleteTicket.php that allows attackers to trick authenticated users into per...
Aug 23, 2024This vulnerability in the WordPress Awesome Logos plugin allows attackers to perform SQL injection via Cross-Site Request Forgery (CSRF). Attackers ca...
Mar 24, 2025This CSRF vulnerability in dingfanzu CMS V1.0 allows attackers to trick authenticated administrators into performing unauthorized actions, specificall...
Nov 8, 2024CVE-2021-41274 is a CSRF vulnerability in solidus_auth_devise that allows attackers to take over user accounts by tricking authenticated users into su...
Nov 17, 2021Yoga Class Registration System 1.0 contains a cross-site request forgery (CSRF) vulnerability that allows administrators to execute arbitrary commands...
Jun 24, 2023CVE-2023-23465 is a Cross-Site Request Forgery (CSRF) vulnerability in Media CP Media Control Panel that allows attackers to trick authenticated users...
Feb 15, 2023A Cross-Site Request Forgery (CSRF) vulnerability in Sell Done Storefront v1.0 allows attackers to trick authenticated users into performing unintende...
Mar 3, 2025CVE-2023-40572 is a Cross-Site Request Forgery (CSRF) vulnerability in XWiki Platform's create action that allows attackers to execute arbitrary scrip...
Aug 24, 2023This vulnerability in the Pixel Cat WordPress plugin allows attackers to trick logged-in administrators into changing plugin settings without their co...
Dec 13, 2021This is a Cross-Site Request Forgery (CSRF) vulnerability in web applications with weak user management. Attackers can craft malicious URLs that execu...
Sep 18, 2023PlaciPy placement management system lacks CSRF protection while allowing credentialed CORS requests, enabling attackers to perform unauthorized action...
Feb 9, 2026This CSRF vulnerability in Axigen Mail Server's WebAdmin interface allows attackers to craft malicious URLs that execute administrative actions when c...
Feb 5, 2026This CSRF vulnerability in bdthemes Element Pack Elementor Addons allows attackers to trick authenticated WordPress administrators into performing uni...
Jan 22, 2026This CSRF vulnerability in Easy!Appointments allows attackers to perform state-changing operations via crafted GET requests, bypassing CSRF protection...
Jan 15, 2026GestSup versions up to 3.2.60 contain a CSRF vulnerability that allows attackers to trick authenticated users into performing unauthorized actions. An...
Jan 9, 2026CVE-2022-50804 is a CSRF vulnerability in JM-DATA ONU JF511-TV version 1.0.67 that allows attackers to trick authenticated administrators into unknowi...
Dec 30, 2025DedeCMS v5.7 contains a CSRF vulnerability in the makehtml_list_action.php file that allows attackers to trick authenticated administrators into perfo...
Dec 29, 2025This CSRF vulnerability in the Five Star Restaurant Reservations WordPress plugin allows attackers to trick authenticated administrators into performi...
Dec 24, 2025This CSRF vulnerability in the Advanced Classifieds & Directory Pro WordPress plugin allows attackers to trick authenticated administrators into perfo...
Dec 24, 2025This CSRF vulnerability in the Tikweb Management Fast User Switching WordPress plugin allows attackers to trick authenticated administrators into perf...
Dec 24, 2025This CSRF vulnerability in the Vimeotheque WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions ...
Dec 24, 2025This CSRF vulnerability in the Simple Keyword to Link WordPress plugin allows attackers to trick authenticated administrators into performing unintend...
Dec 24, 2025This CSRF vulnerability in the WordPress My auctions allegro plugin allows attackers to trick authenticated administrators into performing unintended ...
Dec 24, 2025This CSRF vulnerability in WP Email Capture allows attackers to trick authenticated WordPress administrators into performing unintended actions. It af...
Dec 24, 2025This vulnerability in the Evergreen Post Tweeter WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to S...
Dec 24, 2025This CSRF vulnerability in the Trade Runner WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions...
Dec 24, 2025A Cross-Site Request Forgery (CSRF) vulnerability in Open Source Point of Sale (OSPOS) allows unauthenticated attackers to create administrator accoun...
Dec 17, 2025This CSRF vulnerability in narda miteq Uplink Power Control Unit UPC2 version 1.17 allows remote attackers to trick authenticated users into executing...
Dec 17, 2025nopCommerce 4.90.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in its Schedule Tasks functionality. This allows attackers to trick auth...
Dec 16, 2025Selea Targa IP OCR-ANPR cameras contain a CSRF vulnerability that allows attackers to create administrative accounts without authentication. When a lo...
Dec 9, 2025CVE-2021-47723 is a cross-site request forgery vulnerability in STVS ProVision 5.9.10 that allows attackers to create new administrative users by tric...
Dec 9, 2025A Cross-Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky software allows attackers to trick authenticated users into performing unintend...
Dec 9, 2025This CSRF vulnerability in kubiq PDF Thumbnail Generator allows attackers to trick authenticated WordPress administrators into performing unintended a...
Dec 9, 2025This CSRF vulnerability in the Quick Contact Form WordPress plugin allows attackers to trick authenticated administrators into performing unintended a...
Dec 9, 2025This CSRF vulnerability in vcita's WordPress booking plugin allows attackers to trick authenticated administrators into performing unintended actions,...
Dec 9, 2025This Cross-Site Request Forgery (CSRF) vulnerability in the CWW Companion WordPress plugin allows attackers to trick authenticated administrators into...
Dec 9, 2025This CSRF vulnerability in QuantumCloud Simple Link Directory WordPress plugin allows attackers to trick authenticated administrators into performing ...
Dec 9, 2025A Cross-Site Request Forgery (CSRF) vulnerability in the Ays Pro Chartify WordPress plugin allows attackers to trick authenticated administrators into...
Dec 9, 2025This CSRF vulnerability in the Dimitri Grassi Salon booking system WordPress plugin allows attackers to trick authenticated administrators into perfor...
Dec 9, 2025This Cross-Site Request Forgery (CSRF) vulnerability in the Simple Folio WordPress plugin allows attackers to trick authenticated administrators into ...
Dec 9, 2025This CSRF vulnerability in the WordPress Add Custom Codes plugin allows attackers to trick authenticated administrators into performing unintended act...
Dec 9, 2025This CSRF vulnerability in the WordPress User Generator and Importer plugin allows unauthenticated attackers to create administrator accounts by trick...
Dec 5, 2025This CSRF vulnerability in ObjectPlanet Opinio allows attackers to trick authenticated users into uploading files to the system, then access those fil...
Dec 2, 2025PublicCMS V5.202506.b contains a CSRF vulnerability in the CkEditorAdminController that allows attackers to trick authenticated administrators into pe...
Dec 1, 2025A CSRF vulnerability in Tuya SDK's OAuth implementation allows attackers to link their Amazon Alexa account to victims' Tuya accounts without consent....
Nov 24, 2025The Zegen Core WordPress plugin up to version 2.0.1 has a CSRF vulnerability that allows unauthenticated attackers to upload arbitrary files to the se...
Nov 21, 2025About Cross-Site Request Forgery (CSRF) (CWE-352)
The web application does not sufficiently verify that a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Our database tracks 2,348 CVEs classified as CWE-352, with 63 rated critical and 1,273 rated high severity. The average CVSS score for Cross-Site Request Forgery (CSRF) vulnerabilities is 6.6.
External reference: View CWE-352 on MITRE CWE →
Monitor Cross-Site Request Forgery (CSRF) Vulnerabilities
Get alerted when new Cross-Site Request Forgery (CSRF) CVEs affect your infrastructure.
Start Monitoring Free