Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-352 (跨站请求伪造(CSRF)) — Vulnerability Class 4777

4777 vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)). AI Chinese analysis included.

CWE-352, Cross-Site Request Forgery, is a web application weakness where the system fails to verify that an incoming request was intentionally initiated by the authenticated user rather than an unauthorized actor. Attackers typically exploit this vulnerability by tricking a victim into submitting a malicious request, often via a hidden link or form on a third-party site, while the victim is logged into the target application. Because the browser automatically includes valid session cookies, the server processes the forged request as legitimate, potentially allowing unauthorized actions like fund transfers or profile changes. Developers mitigate this risk by implementing anti-CSRF tokens, synchronizer tokens, or validating the Origin and Referer headers to ensure requests originate from trusted sources, thereby preventing unauthorized state changes.

MITRE CWE Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Common Consequences (1)
Confidentiality, Integrity, Availability, Non-Repudiation, Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart
The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
ImplementationEnsure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]
Architecture and DesignIdentify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
Architecture and DesignUse the "double-submitted cookie" method as described by Felten and Zeller: When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the f…
Examples (1)
This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.
<form action="/url/profile.php" method="post"> <input type="text" name="firstname"/> <input type="text" name="lastname"/> <br/> <input type="text" name="email"/> <input type="submit" name="submit" value="Update"/> </form>
Bad · HTML
// initiate the session in order to validate sessions session_start(); //if the session is registered to a valid user then allow update if (! session_is_registered("username")) { echo "invalid session detected!"; // Redirect user to login page [...] exit; } // The user session is valid, so process the request // and update the information update_profile(); function update_profile { // read in the data from $POST and send an update // to the database SendUpdateToDatabase($_SESSION['username'], $_POST['email']); [...] echo "Your profile has been successfully updated."; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-58818 WordPress Developer Tools Blocker Plugin <= 3.2.1 - Cross Site Request Forgery (CSRF) Vulnerability — Developer Tools Blocker 5.4 Medium2025-09-05
CVE-2025-58809 WordPress To Lead For Salesforce Plugin <= 2.7.3.9 - Cross Site Request Forgery (CSRF) Vulnerability — To Lead For Salesforce 7.1 High2025-09-05
CVE-2025-58807 WordPress Purge Varnish Cache Plugin <= 2.6 - Cross Site Request Forgery (CSRF) Vulnerability — Purge Varnish Cache 7.1 High2025-09-05
CVE-2025-58806 WordPress WordPress Error Monitoring by Bugsnag Plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) Vulnerability — WordPress Error Monitoring by Bugsnag 7.1 High2025-09-05
CVE-2025-58804 WordPress WooCommerce Single Page Checkout Plugin <= 1.2.7 - Cross Site Request Forgery (CSRF) Vulnerability — WooCommerce Single Page Checkout 4.3 Medium2025-09-05
CVE-2025-58801 WordPress Responder Plugin <= 4.3.8 - Cross Site Request Forgery (CSRF) Vulnerability — Responder 5.4 Medium2025-09-05
CVE-2025-58802 WordPress TrustMate.io – WooCommerce integration plugin <= 1.16.0 - Cross Site Request Forgery (CSRF) vulnerability — TrustMate.io – WooCommerce integration 4.3 Medium2025-09-05
CVE-2025-58800 WordPress WP Email Template plugin <= 2.8.5 - Cross Site Request Forgery (CSRF) vulnerability — WP Email Template 4.3 Medium2025-09-05
CVE-2025-58799 WordPress Custom WooCommerce Checkout Fields Editor Plugin <= 1.3.4 - Cross Site Request Forgery (CSRF) Vulnerability — Custom WooCommerce Checkout Fields Editor 4.3 Medium2025-09-05
CVE-2025-58798 WordPress BCM Duplicate Menu plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) vulnerability — BCM Duplicate Menu 4.3 Medium2025-09-05
CVE-2025-58794 WordPress Notification for Telegram plugin <= 3.5 - Cross Site Request Forgery (CSRF) vulnerability — Notification for Telegram 4.3 Medium2025-09-05
CVE-2025-58792 WordPress Authors List plugin <= 2.0.6.2 - Cross Site Request Forgery (CSRF) vulnerability — Authors List 4.3 Medium2025-09-05
CVE-2025-9616 PopAd <= 1.0.4 - Cross-Site Request Forgery to Settings Update — PopAd 5.3 Medium2025-09-04
CVE-2025-20326 Cisco Unified Communications Manager Cross-Site Request Forgery Vulnerability — Cisco Unified Communications Manager 4.3 Medium2025-09-03
CVE-2025-58611 WordPress Tickera Plugin <= 3.5.5.6 - Cross Site Request Forgery (CSRF) Vulnerability — Tickera 4.3 Medium2025-09-03
CVE-2025-58272 NTT EAST Web Caster V130 跨站请求伪造漏洞 — Web Caster V130 4.3AIMediumAI2025-09-03
CVE-2025-0610 CSRF in Akinsoft's QR Menu — QR Menü 8.6 High2025-09-01
CVE-2025-9747 Koillection csrf_protection_controller.js cross-site request forgery — Koillection 4.3 Medium2025-08-31
CVE-2025-9618 Related Posts Lite <= 1.12 - Cross-Site Request Forgery — Related Posts Lite 4.3 Medium2025-08-30
CVE-2025-9374 Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery — Ultimate Tag Warrior Importer 4.3 Medium2025-08-29
CVE-2025-48363 WordPress Popup for CF7 with Sweet Alert plugin <= 1.6.5 - Cross Site Request Forgery (CSRF) vulnerability — Popup for CF7 with Sweet Alert 4.3 Medium2025-08-28
CVE-2025-48362 WordPress Hesabfa Accounting plugin <= 2.2.5 - Cross Site Request Forgery (CSRF) vulnerability — Hesabfa Accounting 5.4 Medium2025-08-28
CVE-2025-48359 WordPress ATT YouTube Widget plugin <= 1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability — ATT YouTube Widget 7.1 High2025-08-28
CVE-2025-48357 WordPress Century ToolKit plugin <= 1.2.1 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Activation vulnerability — Century ToolKit 5.4 Medium2025-08-28
CVE-2025-48353 WordPress Clickbank WordPress Plugin (Niche Storefront) plugin <= 1.3.5 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability — Clickbank WordPress Plugin (Niche Storefront) 7.1 High2025-08-28
CVE-2025-48351 WordPress Kento Splash Screen plugin <= 1.4 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability — Kento Splash Screen 7.1 High2025-08-28
CVE-2025-48343 WordPress WPMU Ldap Authentication plugin <= 5.0.1 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability — WPMU Ldap Authentication 7.1 High2025-08-28
CVE-2025-48325 WordPress WP Admin Theme plugin <= 1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability — WP Admin Theme 7.1 High2025-08-28
CVE-2025-48321 WordPress Ultimate twitter profile widget plugin <= 1.0 - CSRF to Stored XSS vulnerability — Ultimate twitter profile widget 7.1 High2025-08-28
CVE-2025-48320 WordPress 百度分享按钮 plugin <= 1.0.6 - CSRF to Stored XSS vulnerability — 百度分享按钮 7.1 High2025-08-28

Vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)) represent 4777 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.