Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery.
This issue affects WISECP: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site request forgery in Sitemio Information Technologies' WISECP product through version 20022026 allows attackers to trick authenticated users into performing unintended state-changing actions by visiting a malicious page. Successful exploitation carries high impact across confidentiality, integrity, and availability (CVSS 8.0), though it requires user interaction and the victim to hold valid low-privilege credentials. No public exploit identified at time of analysis, and the vendor did not respond to disclosure outreach by TR-CERT.
Technical ContextAI
WISECP is a commercial hosting/billing automation platform developed by Turkish vendor Sitemio Information Technologies Trade Ltd. Co., used by hosting providers to manage customer accounts, billing, and service provisioning. The CWE-352 root cause indicates the application accepts state-changing HTTP requests without verifying that the request was intentionally submitted by the authenticated user - typically because anti-CSRF tokens are absent, not validated, or because SameSite cookie protections are not enforced. Per the CPE string cpe:2.3:a:sitemio_information_technologies_trade_ltd._co.:wisecp, the flaw is application-layer and affects the WISECP product itself rather than an underlying framework.
RemediationAI
No vendor-released patch identified at time of analysis - TR-CERT reports that Sitemio did not respond to disclosure outreach, so defenders cannot yet cite a fixed version. Operators of WISECP should monitor https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0262 and the vendor's channels for an update, and in the interim apply compensating controls: enforce SameSite=Strict (or at minimum Lax) on session cookies at the reverse proxy or web server to break cross-origin POST/GET-driven CSRF (note this can break legitimate cross-site embeds or single-sign-on flows), require admin/staff users to log out of WISECP when browsing other sites, place the WISECP admin interface behind IP allow-listing or a VPN to limit who can be CSRF'd, and consider deploying a WAF rule that rejects state-changing requests lacking a same-origin Referer/Origin header (which may produce false positives for users on privacy-restricting browsers). Train privileged users to avoid clicking unknown links while logged in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209906
GHSA-vxj4-gq73-gm2c