MEDIUMCVE-2025-59110

CVE-2025-59110: SSRF in Windu CMS User Editing

Platform

php

Component

windu-cms

Fixed in

4.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-59110 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Windu CMS. This flaw allows an attacker to bypass the CSRF token protection mechanism within the user editing functionality, potentially leading to unauthorized modifications of user accounts. The vulnerability impacts versions 0.0 through 4.1, and a fix is available in version 4.1 build 2250.

Impact and Attack Scenarios

The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of user accounts. An attacker could leverage this flaw to change user roles, permissions, or other sensitive account settings. Given that Windu CMS allows open registration, an attacker could potentially create a new account, gain access, and then exploit the CSRF vulnerability to compromise other user accounts. This could lead to data breaches, privilege escalation, and disruption of CMS operations. The open registration aspect significantly broadens the attack surface, as attackers can easily create accounts to launch CSRF attacks.

Exploitation Context

CVE-2025-59110 was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is pending evaluation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

Affected Software

Componentwindu-cms

VendorJCD

Affected rangeFixed in

0.0.0 – 4.14.1.1

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2025-09-09
Published2025-11-18
Modified2025-12-05
EPSS updated2026-03-23

Mitigation and Workarounds

The recommended mitigation for CVE-2025-59110 is to immediately upgrade Windu CMS to version 4.1 build 2250. If upgrading is not immediately feasible, consider implementing a temporary workaround by enforcing stricter CSRF token validation on the user editing endpoint. This might involve implementing additional checks to ensure the token's validity and origin. Web application firewalls (WAFs) can also be configured to detect and block malicious CSRF requests targeting the user editing functionality. After upgrading, confirm the fix by attempting to modify a test user account through a crafted CSRF request; the request should be rejected.

How to fix

Update Windu CMS to version 4.1 build 2250 or higher. This version contains the fix for the CSRF vulnerability. It is recommended to perform the update as soon as possible to prevent potential attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59110 — SSRF in Windu CMS?

CVE-2025-59110 is a Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS allowing attackers to modify user accounts by bypassing CSRF token protection.

Am I affected by CVE-2025-59110 in Windu CMS?

You are affected if you are using Windu CMS versions 0.0 through 4.1. Version 4.1 build 2250 contains the fix.

How do I fix CVE-2025-59110 in Windu CMS?

Upgrade Windu CMS to version 4.1 build 2250. As a temporary workaround, enforce stricter CSRF token validation.

Is CVE-2025-59110 being actively exploited?

There is no confirmed active exploitation of CVE-2025-59110 at this time, but the vulnerability is publicly known.

Where can I find the official Windu CMS advisory for CVE-2025-59110?

Refer to the Windu CMS official website or security advisory page for the most up-to-date information regarding CVE-2025-59110.