Plattform
php
Komponente
windu-cms
Behoben in
4.1.1
CVE-2025-59112 represents a Cross-Site Request Forgery (CSRF) vulnerability affecting Windu CMS. This flaw allows an attacker to trigger unintended actions on behalf of an authenticated user, specifically the deletion of user accounts. The vulnerability impacts versions 0 through 4.1, and a fix is available in version 4.1 build 2250.
An attacker can exploit this CSRF vulnerability by crafting a malicious website. When a logged-in Windu CMS user visits this website, a hidden POST request will be sent to the CMS, resulting in the deletion of the user's account. This could lead to denial of service for the affected user and potentially compromise the integrity of the CMS if the deleted user had administrative privileges. The blast radius is limited to users who are logged into the CMS and visit the malicious site, but the impact on individual users can be significant.
This vulnerability was publicly disclosed on 2025-11-18. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Active exploitation is currently unconfirmed.
Administrators and users of Windu CMS installations running versions 0 through 4.1 are at risk. Shared hosting environments using Windu CMS are particularly vulnerable, as they may be more difficult to patch quickly. Users with administrative privileges are at higher risk due to the potential for account compromise.
• wordpress / composer / npm:
grep -r "/admin/user_edit.php" . # Check for user edit page without CSRF tokens• generic web:
curl -I https://your-windu-cms-site.com/admin/user_edit.php | grep -i 'csrf'disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-59112 is to upgrade Windu CMS to version 4.1 build 2250 or later. If upgrading is not immediately feasible, consider implementing CSRF protection mechanisms such as adding CSRF tokens to all forms and sensitive endpoints. Web Application Firewalls (WAFs) can be configured to detect and block suspicious POST requests. After upgrading, confirm the vulnerability is resolved by attempting to delete a test user account via a crafted CSRF request.
Aktualisieren Sie Windu CMS auf Version 4.1 build 2250 oder höher. Dieses Update behebt die Cross-Site Request Forgery (CSRF) Schwachstelle in der Benutzerbearbeitungsfunktionalität. Durch die Aktualisierung wird verhindert, dass ein bösartiger Angreifer Benutzer ohne Autorisierung löschen kann.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59112 is a Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS that allows attackers to delete user accounts.
You are affected if you are using Windu CMS versions 0 through 4.1. Upgrade to 4.1 build 2250 to resolve the issue.
Upgrade Windu CMS to version 4.1 build 2250. As a temporary workaround, implement CSRF protection mechanisms like adding CSRF tokens to forms.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the Windu CMS official website or security advisories for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.