CVE-2019-25682

MEDIUM

CMSsite 1.0 Cross-Site Request Forgery via users.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25682. PoCs published by Mr Winst0n.

AI-analyzed exploit summary The exploit demonstrates three CSRF vulnerabilities in CMSsite 1.0, allowing an attacker to delete an admin, edit admin details, or add a new admin via crafted HTML forms. The PoC includes functional HTML/JavaScript code that can be used to trigger these actions if a victim visits the malicious page while authenticated.

Description

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.

Exploits (1)

exploitdb WORKING POC
by Mr Winst0n · textwebappsphp
https://www.exploit-db.com/exploits/46480

The exploit demonstrates three CSRF vulnerabilities in CMSsite 1.0, allowing an attacker to delete an admin, edit admin details, or add a new admin via crafted HTML forms. The PoC includes functional HTML/JavaScript code that can be used to trigger these actions if a victim visits the malicious page while authenticated.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: CMSsite 1.0
Auth required
Prerequisites: Victim must be authenticated as an admin · Victim must visit the malicious HTML page
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-46480
https://www.exploit-db.com/exploits/46480
Product product
Official Product Homepage
https://github.com/VictorAlagwu/CMSsite
Third Party Advisory third-party-advisory
VulnCheck Advisory: CMSsite 1.0 Cross-Site Request Forgery via users.php
https://www.vulncheck.com/advisories/cmssite-cross-site-request-forgery-via-users-php

Scores

CVSS v3 4.3
EPSS 0.0013
EPSS Percentile 3.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (2)
victoralagwu/cmssite 1.0
VictorAlagwu/CMSsite 1.0
Published Apr 05, 2026
Tracked Since Apr 06, 2026