CVE-2019-25682

MEDIUM

CMSsite 1.0 Cross-Site Request Forgery via users.php

Title source: cna

Description

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.

Exploits (1)

exploitdb WORKING POC

by Mr Winst0n · textwebappsphp

https://www.exploit-db.com/exploits/46480

View Code ZIP pw:eip

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-46480

https://www.exploit-db.com/exploits/46480

Product product

Official Product Homepage

https://github.com/VictorAlagwu/CMSsite

Third Party Advisory third-party-advisory

VulnCheck Advisory: CMSsite 1.0 Cross-Site Request Forgery via users.php

https://www.vulncheck.com/advisories/cmssite-cross-site-request-forgery-via-users-php

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

victoralagwu/cmssite 1.0

VictorAlagwu/CMSsite 1.0

Published Apr 05, 2026

Tracked Since Apr 06, 2026