CVE-2025-25967

HIGH

Acora CMS 10.1.1 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-25967. PoCs published by padayali-JD.

AI-analyzed exploit summary This repository contains a writeup describing CVE-2025-25967, a CSRF vulnerability in Acora CMS v10.1.1. The flaw allows attackers to trick authenticated users into performing unauthorized actions via crafted requests.

Description

Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation, by embedding malicious requests in external content. The lack of CSRF protections allows exploitation via crafted requests.

Exploits (1)

nomisec WRITEUP

by padayali-JD · poc

https://github.com/padayali-JD/CVE-2025-25967

View Code ZIP pw:eip

This repository contains a writeup describing CVE-2025-25967, a CSRF vulnerability in Acora CMS v10.1.1. The flaw allows attackers to trick authenticated users into performing unauthorized actions via crafted requests.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Acora CMS v10.1.1

Auth required

Prerequisites: Authenticated user session · Victim interaction with malicious link

MITRE ATT&CK

T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/padayali-JD/CVE-2025-25967

Scores

CVSS v3 8.8

EPSS 0.0050

EPSS Percentile 38.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

ddsn/acora_cms 10.1.1

Published Mar 03, 2025

Tracked Since Feb 18, 2026