Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-352 (跨站请求伪造(CSRF)) — Vulnerability Class 4773

4773 vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)). AI Chinese analysis included.

CWE-352, Cross-Site Request Forgery, is a web application weakness where the system fails to verify that an incoming request was intentionally initiated by the authenticated user rather than an unauthorized actor. Attackers typically exploit this vulnerability by tricking a victim into submitting a malicious request, often via a hidden link or form on a third-party site, while the victim is logged into the target application. Because the browser automatically includes valid session cookies, the server processes the forged request as legitimate, potentially allowing unauthorized actions like fund transfers or profile changes. Developers mitigate this risk by implementing anti-CSRF tokens, synchronizer tokens, or validating the Origin and Referer headers to ensure requests originate from trusted sources, thereby preventing unauthorized state changes.

MITRE CWE Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Common Consequences (1)
Confidentiality, Integrity, Availability, Non-Repudiation, Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart
The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could trick a client into making an unintentional request to the web server via a URL, image load, XMLHttpRequest, etc., which would then be treated as an authentic request from the client…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
ImplementationEnsure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]
Architecture and DesignIdentify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
Architecture and DesignUse the "double-submitted cookie" method as described by Felten and Zeller: When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the f…
Examples (1)
This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.
<form action="/url/profile.php" method="post"> <input type="text" name="firstname"/> <input type="text" name="lastname"/> <br/> <input type="text" name="email"/> <input type="submit" name="submit" value="Update"/> </form>
Bad · HTML
// initiate the session in order to validate sessions session_start(); //if the session is registered to a valid user then allow update if (! session_is_registered("username")) { echo "invalid session detected!"; // Redirect user to login page [...] exit; } // The user session is valid, so process the request // and update the information update_profile(); function update_profile { // read in the data from $POST and send an update // to the database SendUpdateToDatabase($_SESSION['username'], $_POST['email']); [...] echo "Your profile has been successfully updated."; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-4143 Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update — Neos Connector for Fakturama 4.3 Medium2026-03-21
CVE-2025-14037 Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion — Invelity Product Feeds 8.1 High2026-03-21
CVE-2026-1503 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Plugin Name: login_register 4.3 Medium2026-03-21
CVE-2026-3331 Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update — Lobot Slider Administrator 4.3 Medium2026-03-21
CVE-2026-1392 SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update — SR WP Minify HTML 4.3 Medium2026-03-21
CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update — Xhanch – My Advanced Settings 4.3 Medium2026-03-21
CVE-2026-1390 Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update — Redirect countdown 4.3 Medium2026-03-21
CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update — WP Posts Re-order 4.3 Medium2026-03-21
CVE-2026-1393 Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update — Add Google Social Profiles to Knowledge Graph Box 4.3 Medium2026-03-21
CVE-2026-32989 Precurio Intranet Portal 4.4: Cross-Site Request Forgery leading to arbitrary file upload — Precurio Intranet Portal 8.8 High2026-03-20
CVE-2024-32537 WordPress Flash Video Player plugin <= 5.0.4 - CSRF to XSS vulnerability — Flash Video Player 7.1 High2026-03-20
CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions — admidio 5.7 Medium2026-03-19
CVE-2026-32755 Admidio is Missing CSRF Protection on Role Membership Date Changes — admidio 5.7 Medium2026-03-19
CVE-2026-4068 Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter — Add Custom Fields to Media 4.3 Medium2026-03-19
CVE-2026-22323 Cross‑Site Request Forgery in Link Aggregation Configuration — FL SWITCH 2005 7.1 High2026-03-18
CVE-2026-27978 Next.js: null origin can bypass Server Actions CSRF checks — next.js 8.8 -2026-03-17
CVE-2026-32839 Edimax GS-5008PL <= 1.00.54 CSRF via Management CGI Endpoints — Edimax GS-5008PL 4.3 Medium2026-03-17
CVE-2026-29521 Hereta ETH-IMC408M CSRF via Configuration Setup — Hereta ETH-IMC408M 4.3 Medium2026-03-16
CVE-2025-69238 Cross-Site Request Forgery in Raytha CMS — Raytha 6.5 -2026-03-16
CVE-2017-20221 Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution — SDT-CS3B1 4.3 Medium2026-03-16
CVE-2016-20035 Wowza Streaming Engine 4.5.0 CSRF via user edit endpoint — Wowza Streaming Engine 5.3 Medium2026-03-15
CVE-2016-20034 Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit — Wowza Streaming Engine 8.8 High2026-03-15
CVE-2015-20117 RealtyScript 4.0.2 Cross-Site Request Forgery Unauthorized User Creation — RealtyScript 5.3 Medium2026-03-15
CVE-2015-20113 RealtyScript 4.0.2 Multiple Cross-Site Request Forgery and Persistent Cross-Site Scripting Vulnerabilities — RealtyScript 5.3 Medium2026-03-15
CVE-2016-20028 ZKTeco ZKBioSecurity 3.0 Cross-Site Request Forgery Superadmin — ZKTeco ZKBioSecurity 4.3 Medium2026-03-15
CVE-2026-32456 WordPress Admin Menu Editor plugin <= 1.14.1 - Cross Site Request Forgery (CSRF) vulnerability — Admin Menu Editor 4.3 Medium2026-03-13
CVE-2026-32443 WordPress Product Feed PRO for WooCommerce plugin <= 13.5.2 - Cross Site Request Forgery (CSRF) vulnerability — Product Feed PRO for WooCommerce 6.5 Medium2026-03-13
CVE-2026-32420 WordPress GamiPress plugin <= 7.6.6 - Cross Site Request Forgery (CSRF) vulnerability — GamiPress 5.4 Medium2026-03-13
CVE-2026-32343 WordPress Easy Table of Contents plugin <= 2.0.80 - Cross Site Request Forgery (CSRF) vulnerability — Easy Table of Contents 4.3 Medium2026-03-13
CVE-2026-32344 WordPress Corpiva theme <= 1.0.96 - Cross Site Request Forgery (CSRF) vulnerability — Corpiva 4.3 Medium2026-03-13

Vulnerabilities classified as CWE-352 (跨站请求伪造(CSRF)) represent 4773 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.