CVE-2017-1000432
Description
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vanilla Forums below 2.1.5 are vulnerable to CSRF allowing any registered user to delete topics and comments without admin privileges.
Vulnerability
Vanilla Forums versions below 2.1.5 are affected by a Cross-Site Request Forgery (CSRF) vulnerability. The flaw allows an attacker to perform unauthorized actions on behalf of an authenticated user, specifically deleting topics and comments. The affected versions are all releases prior to 2.1.5. [1]
Exploitation
An attacker must trick a logged-in user into visiting a crafted HTML page containing a form that submits a request to the forum's endpoint. The proof-of-concept demonstrates a form that posts to /vanilla/discussion/dismissannouncement with a target discussion ID. The victim must be logged in and have registered user privileges; no admin access is required. The attacker can set the discussion ID to delete specific topics or comments. [1]
Impact
Successful exploitation enables an attacker to delete topics and comments on the forum without needing admin access. This can result in loss of content and disruption of forum operations. The attacker effectively gains the ability to remove arbitrary discussions and comments as if they were the victim user. [1]
Mitigation
The vulnerability is fixed in Vanilla Forums version 2.1.5, but the reference recommends updating to version 2.5 for full remediation. Users should upgrade to the latest available version to protect against this CSRF attack. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.1.5
- Range: <2.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection and missing authorization checks on the dismissannouncement endpoint allow any registered user to delete topics and comments."
Attack vector
An attacker crafts a malicious HTML form that submits a POST request to the `/vanilla/discussion/dismissannouncement` endpoint on the target Vanilla Forums instance [ref_id=1]. The form includes a `discussionid` parameter specifying the target discussion. When a logged-in victim visits the attacker's page, the form auto-submits (or the victim is tricked into clicking submit), causing the victim's browser to send the request with their session cookies. Because the endpoint lacks CSRF protection and does not verify that the victim has administrative privileges, any registered user can delete topics and comments [ref_id=1].
Affected code
The vulnerability affects Vanilla Forums versions below 2.1.5. The exploit targets the `/vanilla/discussion/dismissannouncement` endpoint, which accepts a `discussionid` parameter via POST without any CSRF token or ownership check [ref_id=1].
What the fix does
The advisory states that updating to Vanilla Forums version 2.1.5 (or later) resolves the issue [ref_id=1]. The patch is not shown in the bundle, but the fix presumably adds CSRF token validation and/or proper permission checks to the `dismissannouncement` endpoint so that only authorized administrators can delete topics and comments, and only in response to requests originating from the forum itself [ref_id=1].
Preconditions
- authThe victim must be logged into a Vanilla Forums instance running a version below 2.1.5
- inputThe attacker must trick the victim into visiting a page containing the malicious HTML form
- networkThe target forum must have the /vanilla/discussion/dismissannouncement endpoint accessible
Reproduction
1. Save the following HTML as a file (e.g., exploit.html): `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/43462/mitreexploitx_refsource_EXPLOIT-DB
- open.vanillaforums.com/discussion/28337/vanilla-2-1-5-released-and-2-0-18-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.