Plateforme
php
Composant
vuln
Corrigé dans
1.0.1
1.1.1
1.2.1
1.3.1
1.4.1
1.5.1
1.6.1
1.7.1
1.8.1
CVE-2025-15455 describes an improper authentication vulnerability discovered in MiniCMS, a PHP-based content management system. This flaw resides within the delete_page function of the /minicms/mc-admin/page.php file, specifically within the File Recovery Request Handler component. Successful exploitation allows attackers to remotely manipulate file recovery requests, potentially leading to unauthorized access and data compromise. The vulnerability affects versions 1.0 through 1.8 of MiniCMS, and a public exploit is already available.
The improper authentication flaw in MiniCMS allows an attacker to bypass authentication controls when attempting to delete pages. This can be exploited remotely, meaning an attacker doesn't need to be on the same network as the CMS to launch the attack. The ability to manipulate file recovery requests could allow an attacker to delete critical files, modify content, or even gain administrative access to the CMS. Given the availability of a public exploit, the risk of exploitation is significantly elevated. The potential blast radius extends to any data stored within the MiniCMS instance, including user data, configuration files, and website content.
CVE-2025-15455 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was reported on 2026-01-05. The vendor, MiniCMS, was contacted but did not respond. The presence of a public exploit and lack of vendor response significantly increases the risk. The vulnerability is not currently listed on CISA KEV as of the disclosure date.
Organizations and individuals using MiniCMS versions 1.0 through 1.8 are at risk. This includes websites and applications relying on MiniCMS for content management. Shared hosting environments are particularly vulnerable, as multiple websites may share the same MiniCMS installation, increasing the attack surface.
• php: Examine web server access logs for requests targeting /minicms/mc-admin/page.php with unusual parameters. Use grep to search for patterns indicative of exploitation attempts.
grep -i 'delete_page' /var/log/apache2/access.log• php: Monitor PHP error logs for authentication-related errors or unauthorized access attempts.
cat /var/log/php_errors.log | grep -i 'authentication failed'• generic web: Use curl to test the /minicms/mc-admin/page.php endpoint with various inputs and observe the response for unexpected behavior or error messages.
curl -X POST -d 'param1=malicious_value' http://your-minicms-server/minicms/mc-admin/page.phpdisclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-15455 is to upgrade MiniCMS to a version that addresses this vulnerability. Unfortunately, no fixed version is currently specified in the provided data. Until a patch is released, consider implementing temporary workarounds. These may include restricting access to the /minicms/mc-admin/page.php endpoint through a web application firewall (WAF) or proxy server, implementing stricter authentication policies, and regularly monitoring logs for suspicious activity. Implement input validation on all parameters passed to the delete_page function. After applying any mitigation steps, verify their effectiveness by attempting to trigger the vulnerable function with malicious input and confirming that authentication is enforced.
Mettez à jour MiniCMS à une version postérieure à 1.8 qui corrige la vulnérabilité d'authentification incorrecte dans la fonction delete_page du fichier page.php. Si aucune version n'est disponible, envisagez de désactiver ou de supprimer la fonctionnalité affectée jusqu'à ce qu'une solution soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-15455 is a Medium severity vulnerability in MiniCMS versions 1.0-1.8 that allows remote attackers to bypass authentication and manipulate file recovery requests due to a flaw in the delete_page function.
You are affected if you are using MiniCMS versions 1.0 through 1.8. Upgrade to a patched version as soon as it becomes available.
Upgrade MiniCMS to a version that addresses this vulnerability. Until a patch is released, implement workarounds like WAF rules and stricter authentication policies.
Yes, a public exploit is available, indicating a high probability of active exploitation.
As of the disclosure date, no official advisory has been released by MiniCMS. Monitor their website and security mailing lists for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.