CVE-2024-29338

Anchor CMS v0.12.7 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /anchor/admin/categories/delete/2 endpoint. The lack of anti-CSRF tokens or other validation mechanisms allows an attacker to craft a malicious request that, when executed by an authenticated administrator, deletes a category without their consent [1].

Exploitation requires social engineering: the attacker must trick a logged-in admin into visiting a crafted link or page that triggers the delete request. No additional authentication is needed because the victim already has admin privileges. The attack surface is the admin panel's category management functionality [1].

Successful exploitation results in the deletion of category 2 (or any specified category ID), potentially disrupting blog organization and content management. The impact is limited to category deletion, but repeated attacks could cause significant data loss [1].

Anchor CMS is no longer maintained; the project repository states it is not production ready and recommends using alternative platforms [2]. As of the publication date, no official patch has been released, and users are advised to migrate away from Anchor CMS to mitigate this and other unpatched vulnerabilities.