CVE-2025-6865

Vulnerability

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in DaiCuo CMS version 1.3.13 and earlier. The issue resides in the /admin.php/addon/index endpoint, where state-changing operations (such as deleting a friend entry) are performed without requiring a unique token or other CSRF protection. This allows an attacker to trick an authenticated administrator into unknowingly executing unwanted actions [1].

Exploitation

Attackers can exploit this vulnerability by crafting a malicious HTML page containing a hidden form that automatically submits a request to the vulnerable endpoint. The form can be embedded in a web page or sent via email, and requires no user interaction beyond the victim visiting the page while logged into DaiCuo CMS. The provided proof-of-concept demonstrates deleting a friend with ID 12 by submitting parameters such as module=friend, controll=admin, action=delete, and id=12 [1].

Impact

Successful exploitation allows an attacker to perform any action that the vulnerable endpoint supports, such as deleting data or modifying settings, with the privileges of the targeted administrator. Since the admin panel is accessible over the network, the attack can be initiated remotely. The impact is limited to the functionality exposed via the /admin.php/addon/index component [1].

Mitigation

As of the publication date, no official patch has been mentioned. Users should consider implementing CSRF tokens for all state-changing requests, verifying the Referer header, or restricting access to the admin panel until a security update is available.