CVE-2022-25576

Vulnerability

Anchor CMS v0.12.7 contains a Cross-Site Request Forgery (CSRF) vulnerability in the anchor/routes/posts.php component. The delete post endpoint at admin/posts/delete/(:num) uses a GET request with no CSRF token or referer check [1][3]. This allows an attacker to forge requests that delete posts when an authenticated admin visits a malicious page.

Exploitation

An attacker must trick an authenticated admin into visiting a malicious HTML page or clicking a crafted link. The admin's browser then automatically sends a GET request to /admin/posts/delete/{id} with the admin's session cookie. No user interaction beyond visiting the page is required, as demonstrated by a PoC using a simple HTML form and history.pushState to hide the redirect [3].

Impact

Successful exploitation allows the attacker to arbitrarily delete any post on the site. The deletion is permanent; comments and metadata associated with the post are also removed. The attacker gains the ability to destroy content with the same privileges as the admin, leading to data loss and disruption of the site's content.

Mitigation

The Anchor CMS project is no longer maintained, and no patch has been issued for this vulnerability [2]. Users are advised to migrate to an alternative CMS. As a workaround, administrators can restrict access to the admin panel via IP whitelisting or require a POST method with a CSRF token, but these are not implemented in the current release. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.