CVE-2019-25682 Overview
CVE-2019-25682 is a cross-site request forgery [CWE-352] vulnerability in CMSsite 1.0 by victoralagwu. The flaw resides in the users.php endpoint, which processes administrative actions without validating request origin or anti-CSRF tokens. An attacker can craft a malicious HTML page that submits POST requests to users.php with parameters such as source=add_user, source=edit_user, or del=1. When an authenticated administrator visits the attacker-controlled page, the browser submits the forged request using the active session. This enables unauthorized creation, modification, or deletion of administrator accounts.
Critical Impact
Attackers can hijack administrative sessions to create rogue admin accounts or delete existing ones, leading to full takeover of the CMSsite installation.
Affected Products
- victoralagwu CMSsite 1.0
- Installations exposing users.php to authenticated administrators
- Deployments without anti-CSRF token enforcement or SameSite cookie configuration
Discovery Timeline
- 2026-04-05 - CVE-2019-25682 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2019-25682
Vulnerability Analysis
The vulnerability stems from missing CSRF protection on state-changing operations in the CMSsite administrative panel. The users.php script accepts POST requests for user management based solely on session cookies. No synchronizer token, double-submit cookie, or origin header validation is performed before executing privileged actions.
When an authenticated administrator browses to an attacker-controlled page, the page can auto-submit a hidden form targeting the CMSsite instance. The browser attaches the administrator's session cookie, and the server processes the action as legitimate. The source parameter selects the operation: add_user provisions a new account, edit_user modifies an existing one, and del=1 removes a user record.
Because the attacker controls all POST parameters in the forged form, they choose the new administrator's username, password, and role. Exploitation requires only that the victim hold an active admin session and load the crafted page. Refer to the VulnCheck Advisory on CMSsite CSRF and Exploit-DB #46480 for full technical details.
Root Cause
The application does not implement any anti-CSRF defense. There is no per-request token tied to the user session, no verification of the Origin or Referer header, and cookies are not configured with the SameSite attribute. Any cross-origin POST request carrying valid session cookies is honored.
Attack Vector
Exploitation is network-based and requires social engineering. The attacker hosts a page containing a hidden form pointing to the target CMSsite users.php endpoint. The administrator must be authenticated and must visit the page or click a malicious link. No user interaction beyond visiting the page is needed if the form auto-submits via JavaScript.
No verified proof-of-concept code is reproduced here. See the GitHub CMSsite Repository and Exploit-DB #46480 for the published exploit structure.
Detection Methods for CVE-2019-25682
Indicators of Compromise
- Unexpected administrator accounts appearing in the CMSsite users table.
- POST requests to /users.php with source=add_user, source=edit_user, or del=1 originating from external Referer headers.
- Web server logs showing admin actions with Referer values pointing to domains outside the application.
- Deleted or modified admin user records without corresponding administrator console activity.
Detection Strategies
- Inspect HTTP access logs for POST requests to users.php and correlate the Referer header against the application's own hostname.
- Monitor the users database table for inserts, updates, and deletes outside change-management windows.
- Alert on consecutive admin authentication events followed by user-management POSTs from atypical IP geolocations.
Monitoring Recommendations
- Forward web server and application logs to a centralized log platform and apply rules for cross-origin POSTs to administrative endpoints.
- Track creation of accounts with administrative roles and require human review for each event.
- Enable browser-side reporting through Content-Security-Policyreport-uri to surface unexpected form submissions.
How to Mitigate CVE-2019-25682
Immediate Actions Required
- Restrict access to /users.php and the CMSsite admin directory by source IP or VPN until a fix is applied.
- Audit all administrator accounts and remove any that cannot be attributed to legitimate provisioning.
- Force a password reset and session invalidation for all administrators.
- Configure session cookies with SameSite=Strict (or Lax) and the Secure and HttpOnly flags.
Patch Information
No vendor-supplied patch is listed in the NVD record or vendor advisories. The GitHub CMSsite Repository should be reviewed for any maintainer-supplied updates. Operators running CMSsite 1.0 should consider migrating to an actively maintained content management platform.
Workarounds
- Place CMSsite behind a reverse proxy or web application firewall that strips cross-origin POST requests to /users.php.
- Add a server-side anti-CSRF token to all state-changing forms and validate it on every POST.
- Reject requests to administrative endpoints whose Origin or Referer header does not match the application's own hostname.
- Limit administrator browser sessions to a dedicated browser profile that does not visit untrusted sites.
# Example nginx rule rejecting cross-origin POSTs to users.php
location = /users.php {
if ($request_method = POST) {
set $csrf_block "0";
if ($http_referer !~* "^https?://your-cmssite-host/") { set $csrf_block "1"; }
if ($csrf_block = "1") { return 403; }
}
include fastcgi_params;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
