CWE-352 – Cross-Site Request Forgery (CSRF) | Common Weakness Enumeration (CWE)

Overview

CWE-352 (Cross-Site Request Forgery (CSRF)) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact: Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Applicable platforms

Kind	Name	Class	Prevalence	OS / CPE
language	—	Not Language-Specific	Undetermined	—
technology	—	Web Based	Undetermined	—
technology	Web Server	—	Undetermined	—

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE	Published	Summary
CVE-2026-9732	2026-06-03	The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorre…
CVE-2026-42073	2026-06-02	OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP serve…
CVE-2026-34460	2026-06-02	NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization cod…
CVE-2026-9730	2026-06-02	The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on th…
CVE-2026-9723	2026-06-02	The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the goo…
CVE-2026-9722	2026-06-02	The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageF…
CVE-2026-9599	2026-06-02	The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init fun…
CVE-2026-8422	2026-06-02	The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on…
CVE-2026-4071	2026-06-02	The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page(…
CVE-2018-25435	2026-06-01	ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate cus…
CVE-2026-49433	2026-06-01	The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker…
CVE-2026-40549	2026-06-01	SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user,…
CVE-2018-25397	2026-05-29	PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated a…
CVE-2018-25387	2026-05-29	HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft …
CVE-2026-45610	2026-05-29	WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA valu…
CVE-2026-6075	2026-05-29	The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handler…
CVE-2026-35266	2026-05-28	Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network ac…
CVE-2026-9618	2026-05-28	The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to,…
CVE-2026-6455	2026-05-28	The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and in…
CVE-2026-7533	2026-05-28	The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_…

Content submission

Name: PLOVER
Date: 2006-07-19
Version: Draft 3

Content modifications

Date	Name	Version	Importance	Comment
2008-07-01	Eric Dalci	1.0	—	updated Time_of_Introduction
2008-09-08	CWE Content Team	1.0	—	updated Alternate_Terms, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
2009-01-12	CWE Content Team	1.2	—	updated Applicable_Platforms, Description, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Theoretical_Notes
2009-03-10	CWE Content Team	1.3	—	updated Potential_Mitigations
2009-05-20	Tom Stracener	1.4	—	Added demonstrative example for profile.
2009-05-27	CWE Content Team	1.4	—	updated Demonstrative_Examples, Related_Attack_Patterns
2009-12-28	CWE Content Team	1.7	—	updated Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Time_of_Introduction
2010-02-16	CWE Content Team	1.8	—	updated Applicable_Platforms, Detection_Factors, References, Relationships, Taxonomy_Mappings
2010-06-21	CWE Content Team	1.9	—	updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
2010-09-27	CWE Content Team	1.10	—	updated Potential_Mitigations
2011-03-29	CWE Content Team	1.12	—	updated Description
2011-06-01	CWE Content Team	1.13	—	updated Common_Consequences
2011-06-27	CWE Content Team	2.0	—	updated Relationships
2011-09-13	CWE Content Team	2.1	—	updated Potential_Mitigations, References
2012-05-11	CWE Content Team	2.2	—	updated Related_Attack_Patterns, Relationships
2012-10-30	CWE Content Team	2.3	—	updated Potential_Mitigations
2013-02-21	CWE Content Team	2.4	—	updated Relationships
2013-07-17	CWE Content Team	2.5	—	updated References, Relationships
2014-07-30	CWE Content Team	2.8	—	updated Detection_Factors
2015-12-07	CWE Content Team	2.9	—	updated Relationships
2017-11-08	CWE Content Team	3.0	—	updated Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
2018-03-27	CWE Content Team	3.1	—	updated References, Relationship_Notes, Research_Gaps
2019-09-19	CWE Content Team	3.4	—	updated Relationships
2020-02-24	CWE Content Team	4.0	—	updated Relationships
2020-06-25	CWE Content Team	4.1	—	updated Relationships, Theoretical_Notes
2020-08-20	CWE Content Team	4.2	—	updated Relationships
2021-07-20	CWE Content Team	4.5	—	updated Relationships
2021-10-28	CWE Content Team	4.6	—	updated Relationships
2022-06-28	CWE Content Team	4.8	—	updated Relationships
2023-04-27	CWE Content Team	4.11	—	updated References, Relationships
2023-06-29	CWE Content Team	4.12	—	updated Mapping_Notes, Relationships
2024-11-19	CWE Content Team	4.16	—	updated Relationships
2025-04-03	CWE Content Team	4.17	—	updated Alternate_Terms, Common_Consequences, Description, Diagram
2025-09-09	CWE Content Team	4.18	—	updated Detection_Factors, Potential_Mitigations, References
2025-12-11	CWE Content Team	4.19	—	updated Applicable_Platforms, Relationships, Weakness_Ordinalities

Contributions

Type	Name	Date	Comment
Content	Abhi Balakrishnan	2024-02-29	Contributed usability diagram concepts used by the CWE team.