Description
Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63712/README4.md
Scores
CVSS v3
8.8
EPSS
0.0003
EPSS Percentile
7.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (1)
senior-walter/web-based_pharmacy_product_management_system
1.0
Published
Nov 10, 2025
Tracked Since
Feb 18, 2026