Plataforma
php
Componente
vuln
Corregido en
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
CVE-2025-15455 describes an improper authentication vulnerability discovered in MiniCMS, a PHP-based content management system. This flaw resides within the delete_page function of the /minicms/mc-admin/page.php file, specifically within the File Recovery Request Handler component. Successful exploitation allows attackers to remotely manipulate file recovery requests, potentially leading to unauthorized access and data compromise. The vulnerability affects versions 1.0 through 1.8 of MiniCMS, and a public exploit is already available.
The improper authentication flaw in MiniCMS allows an attacker to bypass authentication controls when attempting to delete pages. This can be exploited remotely, meaning an attacker doesn't need to be on the same network as the CMS to launch the attack. The ability to manipulate file recovery requests could allow an attacker to delete critical files, modify content, or even gain administrative access to the CMS. Given the availability of a public exploit, the risk of exploitation is significantly elevated. The potential blast radius extends to any data stored within the MiniCMS instance, including user data, configuration files, and website content.
CVE-2025-15455 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was reported on 2026-01-05. The vendor, MiniCMS, was contacted but did not respond. The presence of a public exploit and lack of vendor response significantly increases the risk. The vulnerability is not currently listed on CISA KEV as of the disclosure date.
Organizations and individuals using MiniCMS versions 1.0 through 1.8 are at risk. This includes websites and applications relying on MiniCMS for content management. Shared hosting environments are particularly vulnerable, as multiple websites may share the same MiniCMS installation, increasing the attack surface.
• php: Examine web server access logs for requests targeting /minicms/mc-admin/page.php with unusual parameters. Use grep to search for patterns indicative of exploitation attempts.
grep -i 'delete_page' /var/log/apache2/access.log• php: Monitor PHP error logs for authentication-related errors or unauthorized access attempts.
cat /var/log/php_errors.log | grep -i 'authentication failed'• generic web: Use curl to test the /minicms/mc-admin/page.php endpoint with various inputs and observe the response for unexpected behavior or error messages.
curl -X POST -d 'param1=malicious_value' http://your-minicms-server/minicms/mc-admin/page.phpdisclosure
Estado del Exploit
EPSS
0.08% (24% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-15455 is to upgrade MiniCMS to a version that addresses this vulnerability. Unfortunately, no fixed version is currently specified in the provided data. Until a patch is released, consider implementing temporary workarounds. These may include restricting access to the /minicms/mc-admin/page.php endpoint through a web application firewall (WAF) or proxy server, implementing stricter authentication policies, and regularly monitoring logs for suspicious activity. Implement input validation on all parameters passed to the delete_page function. After applying any mitigation steps, verify their effectiveness by attempting to trigger the vulnerable function with malicious input and confirming that authentication is enforced.
Actualice MiniCMS a una versión posterior a 1.8 que corrija la vulnerabilidad de autenticación incorrecta en la función delete_page del archivo page.php. Si no hay una versión disponible, considere deshabilitar o eliminar la funcionalidad afectada hasta que se publique una solución.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-15455 is a Medium severity vulnerability in MiniCMS versions 1.0-1.8 that allows remote attackers to bypass authentication and manipulate file recovery requests due to a flaw in the delete_page function.
You are affected if you are using MiniCMS versions 1.0 through 1.8. Upgrade to a patched version as soon as it becomes available.
Upgrade MiniCMS to a version that addresses this vulnerability. Until a patch is released, implement workarounds like WAF rules and stricter authentication policies.
Yes, a public exploit is available, indicating a high probability of active exploitation.
As of the disclosure date, no official advisory has been released by MiniCMS. Monitor their website and security mailing lists for updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.