Home

Description

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.

PUBLISHED Reserved 2026-04-05 | Published 2026-04-05 | Updated 2026-04-06 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

Cross-Site Request Forgery (CSRF)

Product status

1.0
affected

Credits

Mr Winst0n finder

References

www.exploit-db.com/exploits/46480 (ExploitDB-46480) exploit

github.com/VictorAlagwu/CMSsite (Official Product Homepage) product

www.vulncheck.com/...ross-site-request-forgery-via-users-php (VulnCheck Advisory: CMSsite 1.0 Cross-Site Request Forgery via users.php) third-party-advisory

cve.org (CVE-2019-25682)

nvd.nist.gov (CVE-2019-25682)

Download JSON