Apache Wicket is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is caused due to an error in the evaluation of the fetch metadata headers within FetchMetadataResourceIsolationPolicy.java
. This allows an attacker to bypass the Cross-Site Request Forgery (CSRF) protection mechanism.