Platform
php
Component
vuln
Fixed in
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
CVE-2025-15455 describes an improper authentication vulnerability discovered in MiniCMS, a PHP-based content management system. This flaw resides within the delete_page function of the /minicms/mc-admin/page.php file, specifically within the File Recovery Request Handler component. Successful exploitation allows attackers to remotely manipulate file recovery requests, potentially leading to unauthorized access and data compromise. The vulnerability affects versions 1.0 through 1.8 of MiniCMS, and a public exploit is already available.
The improper authentication flaw in MiniCMS allows an attacker to bypass authentication controls when attempting to delete pages. This can be exploited remotely, meaning an attacker doesn't need to be on the same network as the CMS to launch the attack. The ability to manipulate file recovery requests could allow an attacker to delete critical files, modify content, or even gain administrative access to the CMS. Given the availability of a public exploit, the risk of exploitation is significantly elevated. The potential blast radius extends to any data stored within the MiniCMS instance, including user data, configuration files, and website content.
CVE-2025-15455 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was reported on 2026-01-05. The vendor, MiniCMS, was contacted but did not respond. The presence of a public exploit and lack of vendor response significantly increases the risk. The vulnerability is not currently listed on CISA KEV as of the disclosure date.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15455 is to upgrade MiniCMS to a version that addresses this vulnerability. Unfortunately, no fixed version is currently specified in the provided data. Until a patch is released, consider implementing temporary workarounds. These may include restricting access to the /minicms/mc-admin/page.php endpoint through a web application firewall (WAF) or proxy server, implementing stricter authentication policies, and regularly monitoring logs for suspicious activity. Implement input validation on all parameters passed to the delete_page function. After applying any mitigation steps, verify their effectiveness by attempting to trigger the vulnerable function with malicious input and confirming that authentication is enforced.
Update MiniCMS to a version later than 1.8 that fixes the improper authentication vulnerability in the delete_page function of the page.php file. If no version is available, consider disabling or removing the affected functionality until a fix is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15455 is a Medium severity vulnerability in MiniCMS versions 1.0-1.8 that allows remote attackers to bypass authentication and manipulate file recovery requests due to a flaw in the delete_page function.
You are affected if you are using MiniCMS versions 1.0 through 1.8. Upgrade to a patched version as soon as it becomes available.
Upgrade MiniCMS to a version that addresses this vulnerability. Until a patch is released, implement workarounds like WAF rules and stricter authentication policies.
Yes, a public exploit is available, indicating a high probability of active exploitation.
As of the disclosure date, no official advisory has been released by MiniCMS. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.