← back
CVE-2019-25682

CMSsite 1.0 Cross-Site Request Forgery via users.php

CVSS 5.3 MEDIUMEPSS 0.1%CWE-352
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.3EPSS 0.1%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
05 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Affected products
VictorAlagwu · CMSsite
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.