CVE-2018-11405

Vulnerability

Kliqqi CMS 2.0.2 suffers from a Cross-Site Request Forgery (CSRF) flaw in admin/admin_users.php. The endpoint lacks anti-CSRF tokens, enabling attackers to forge requests that create new users with admin-level privileges. The vulnerable code path is reachable when an authenticated admin session is active, and the attacker can trick the admin into submitting a hidden form [1].

Exploitation

An attacker needs only a logged-in admin session and a means to deliver a crafted HTML form (e.g., via email, a compromised site, or a direct link). The form silently POSTs to admin/admin_users.php with parameters username=eviladmin, email=a11aa@aa.com, level=admin, password=123456, and mode=newuser. No user interaction beyond clicking the link or viewing the page is required; the browser automatically submits the request if the admin is authenticated [1].

Impact

Successful exploitation creates a rogue admin account (eviladmin) with full privileges, leading to unauthorized access, data manipulation, and potential site takeover. The attacker gains persistent control over the CMS without needing to know the original admin credentials [1].

Mitigation

As of the referenced advisory, no official patch has been published. Mitigation requires implementing standard CSRF protections: include unique anti-CSRF tokens in all state-changing forms, validate tokens server-side, and enforce same-origin policy for sensitive actions. Until a fix is released, admins should avoid clicking untrusted links while logged in [1].