CVE-2012-4902

Template CMS < 2.1.1 - Cross-Site Request Forgery via Admin User Creation or Theme Editor

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4902. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in Template CMS 2.1.1. It includes PoC code for executing arbitrary JavaScript in an admin's session and performing unauthorized actions like adding a new admin or injecting PHP code.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php.

Exploits (1)

exploitdb WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/21742

The exploit demonstrates Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities in Template CMS 2.1.1. It includes PoC code for executing arbitrary JavaScript in an admin's session and performing unauthorized actions like adding a new admin or injecting PHP code.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Template CMS 2.1.1
Auth required
Prerequisites: Admin session active · Victim must visit malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/85896
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55766
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/21742/

Scores

EPSS 0.0132
EPSS Percentile 67.1%

Details

CWE
CWE-352
Status published
Products (1)
template_cms_project/template_cms < 2.1.1
Published May 20, 2015
Tracked Since Feb 18, 2026