Plataforma
php
Componente
windu-cms
Corrigido em
4.1.1
CVE-2025-59112 represents a Cross-Site Request Forgery (CSRF) vulnerability affecting Windu CMS. This flaw allows an attacker to trigger unintended actions on behalf of an authenticated user, specifically the deletion of user accounts. The vulnerability impacts versions 0 through 4.1, and a fix is available in version 4.1 build 2250.
An attacker can exploit this CSRF vulnerability by crafting a malicious website. When a logged-in Windu CMS user visits this website, a hidden POST request will be sent to the CMS, resulting in the deletion of the user's account. This could lead to denial of service for the affected user and potentially compromise the integrity of the CMS if the deleted user had administrative privileges. The blast radius is limited to users who are logged into the CMS and visit the malicious site, but the impact on individual users can be significant.
This vulnerability was publicly disclosed on 2025-11-18. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Active exploitation is currently unconfirmed.
Administrators and users of Windu CMS installations running versions 0 through 4.1 are at risk. Shared hosting environments using Windu CMS are particularly vulnerable, as they may be more difficult to patch quickly. Users with administrative privileges are at higher risk due to the potential for account compromise.
• wordpress / composer / npm:
grep -r "/admin/user_edit.php" . # Check for user edit page without CSRF tokens• generic web:
curl -I https://your-windu-cms-site.com/admin/user_edit.php | grep -i 'csrf'disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
The primary mitigation for CVE-2025-59112 is to upgrade Windu CMS to version 4.1 build 2250 or later. If upgrading is not immediately feasible, consider implementing CSRF protection mechanisms such as adding CSRF tokens to all forms and sensitive endpoints. Web Application Firewalls (WAFs) can be configured to detect and block suspicious POST requests. After upgrading, confirm the vulnerability is resolved by attempting to delete a test user account via a crafted CSRF request.
Atualize o Windu CMS para a versão 4.1 build 2250 ou superior. Esta atualização corrige a vulnerabilidade de Cross-Site Request Forgery (CSRF) na funcionalidade de edição de usuários. Ao atualizar, previne que um atacante malicioso possa excluir usuários sem autorização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-59112 is a Cross-Site Request Forgery (CSRF) vulnerability in Windu CMS that allows attackers to delete user accounts.
You are affected if you are using Windu CMS versions 0 through 4.1. Upgrade to 4.1 build 2250 to resolve the issue.
Upgrade Windu CMS to version 4.1 build 2250. As a temporary workaround, implement CSRF protection mechanisms like adding CSRF tokens to forms.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the Windu CMS official website or security advisories for the latest information and updates regarding this vulnerability.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.