CVE-2015-7293

HIGH

Plone - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7293. PoCs published by hyp3rlinx.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in Zope Management Interface (ZMI) and Plone, allowing an attacker to perform actions such as adding links or injecting persistent XSS via crafted POST requests. The PoC includes HTML forms that automatically submit malicious requests to vulnerable endpoints.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.

Exploits (1)

exploitdb WORKING POC

by hyp3rlinx · textwebappspython

https://www.exploit-db.com/exploits/38411

View Code ZIP pw:eip

The exploit demonstrates a CSRF vulnerability in Zope Management Interface (ZMI) and Plone, allowing an attacker to perform actions such as adding links or injecting persistent XSS via crafted POST requests. The PoC includes HTML forms that automatically submit malicious requests to vulnerable endpoints.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Zope Management Interface 4.3.7 and Plone versions prior to 5.x

No auth needed

Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target Zope/Plone instance must be accessible

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/133889/Zope-Management-Interface-4.3.7-Cross-Site-Request-Forgery.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/38411/

Third Party Advisory x_refsource_confirm

https://pypi.python.org/pypi/plone4.csrffixes

Vendor Advisory x_refsource_confirm

https://plone.org/security/hotfix/20151006

Scores

CVSS v3 8.8

EPSS 0.0033

EPSS Percentile 56.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (48)

plone/plone 3.3

plone/plone 3.3.1

plone/plone 3.3.2

plone/plone 3.3.3

plone/plone 3.3.4

plone/plone 3.3.5

plone/plone 3.3.6

plone/plone 4.0

plone/plone 4.0.1

plone/plone 4.0.2

... and 38 more

Published Sep 25, 2017

Tracked Since Feb 18, 2026