CVE-2025-63712 Overview
CVE-2025-63712 is a Cross-Site Request Forgery (CSRF) vulnerability in the SourceCodester Product Expiry Management System, also distributed as the Senior-walter Web-based Pharmacy Product Management System version 1.0. The flaw resides in the User Management module, specifically the delete-user.php endpoint. The endpoint authenticates requests using session cookies alone and does not validate any anti-CSRF token. Remote attackers can craft a malicious cross-origin GET request that, when triggered by an authenticated administrator, deletes arbitrary user accounts. The weakness is tracked under [CWE-352].
Critical Impact
An attacker can delete any user account, including administrator accounts, by tricking an authenticated user into visiting a malicious page.
Affected Products
- Senior-walter Web-based Pharmacy Product Management System 1.0
- SourceCodester Product Expiry Management System (User Management module)
- Deployments exposing delete-user.php to authenticated sessions
Discovery Timeline
- 2025-11-10 - CVE-2025-63712 published to NVD
- 2025-11-18 - Last updated in NVD database
Technical Details for CVE-2025-63712
Vulnerability Analysis
The vulnerability stems from missing CSRF protection on a state-changing endpoint. The delete-user.php script accepts user deletion requests via HTTP GET and relies exclusively on session cookies for authentication. Browsers automatically attach session cookies to cross-origin requests, so any HTML element that issues a request to the vulnerable URL executes in the victim's authenticated context.
Because the endpoint accepts GET, embedding the attack in an <img> tag, <iframe>, or hidden link is sufficient. The application performs no origin validation, no referrer check, and no synchronizer token verification. Successful exploitation results in arbitrary deletion of user accounts, which can include administrators, locking legitimate operators out of the system and disrupting pharmacy operations.
Root Cause
The root cause is the absence of CSRF mitigations on a sensitive write operation. The endpoint violates secure design by using an idempotent-looking GET request to perform a destructive action. It also fails to bind requests to the user's session through an unpredictable token, leaving the cookie as the sole authentication factor.
Attack Vector
An attacker hosts a malicious page or sends a phishing message containing a crafted link or auto-loading resource that targets the vulnerable delete-user.php URL with a chosen user identifier. When an authenticated administrator loads the attacker-controlled content, the browser issues the forged request with the valid session cookie. The application deletes the specified account without further verification. Exploitation requires user interaction but no privileges on the attacker's side.
No public proof-of-concept exploit is registered in Exploit-DB, but a technical write-up is available in the CVE-2025-63712 research repository.
Detection Methods for CVE-2025-63712
Indicators of Compromise
- HTTP GET requests to delete-user.php with a Referer header pointing to an external or unexpected domain.
- Unexplained deletion entries in the User Management audit log, particularly for administrator accounts.
- Authentication failures from legitimate users immediately following user-deletion events.
Detection Strategies
- Inspect web server access logs for GET requests to delete-user.php and correlate with the originating Referer and User-Agent.
- Alert on any state-changing endpoint receiving requests with a cross-origin or missing Referer.
- Monitor application logs for sequences where a user account is deleted shortly after an administrator visits an external link.
Monitoring Recommendations
- Forward web server and application logs to a centralized analytics platform for retention and correlation.
- Track the rate of user-deletion events and trigger alerts on deviations from baseline activity.
- Review administrator session activity after suspected phishing attempts or unusual web traffic.
How to Mitigate CVE-2025-63712
Immediate Actions Required
- Restrict network access to the application so the management interface is not reachable from untrusted networks.
- Require administrators to use a dedicated browser profile that is not used for general web browsing.
- Audit existing user accounts and re-create any accounts that have been deleted without authorization.
- Enforce short session timeouts to reduce the window in which a forged request can succeed.
Patch Information
No official vendor patch is listed in the NVD entry or referenced advisories at the time of publication. Operators should monitor the SourceCodester project page for updates and apply any vendor-provided fix as soon as it is released.
Workarounds
- Modify delete-user.php to require HTTP POST and reject GET requests for destructive actions.
- Implement a synchronizer CSRF token tied to the user's session and validate it server-side on every state-changing request.
- Set session cookies with SameSite=Strict to prevent the browser from sending them with cross-origin requests.
- Validate the Origin and Referer headers on sensitive endpoints and reject mismatched values.
# Example hardening: set SameSite and Secure attributes in php.ini
session.cookie_samesite = "Strict"
session.cookie_secure = 1
session.cookie_httponly = 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
