Skip to main content

PerfreeBlog CVE-2025-60730

HIGH
Incomplete Cleanup (CWE-459)
2025-10-24 cve@mitre.org
7.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
vuln.today AI
7.1 HIGH

Network CSRF-style delivery needing victim interaction (UI:R, PR:N); arbitrary deletion is an integrity impact (I:H), no disclosure (C:N), limited availability (A:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:05 vuln.today

DescriptionCVE.org

PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function

AnalysisAI

Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusing the unInstallTheme theme-management function. Publicly available exploit code exists, though the flaw is not on CISA KEV and carries a low EPSS score (0.31%, 22nd percentile), indicating limited real-world exploitation to date. The CVSS 3.1 vector (PR:N/UI:R) implies an unauthenticated attacker who tricks an interacting user into triggering the deletion, consistent with a CSRF-style delivery against an administrator.

Technical ContextAI

PerfreeBlog is a lightweight Java-based blogging/CMS platform (vendor site perfree.org.cn), affecting version 4.0.11 per CPE cpe:2.3:a:perfree:perfreeblog:4.0.11. The root cause is classified as CWE-459 (Incomplete Cleanup): the unInstallTheme routine, intended to remove a theme's files during uninstallation, does not properly constrain or sanitize the target path, so a supplied theme/path value can traverse outside the themes directory and delete arbitrary files on the host filesystem. In practice this is a path-handling failure in a privileged administrative maintenance operation where the cleanup logic trusts caller-supplied identifiers.

RemediationAI

No vendor-released patched version is identified in the available data, so no fixed version can be cited; monitor the vendor site https://perfree.org.cn/ and the project's release channel for an update addressing CVE-2025-60730 and upgrade as soon as a patched build is published. As compensating controls until then: restrict access to the theme-management/administration interface to trusted networks or VPN so the unInstallTheme endpoint cannot be reached broadly; enforce anti-CSRF tokens and re-authentication on theme uninstall actions to blunt the UI:R/CSRF delivery path (trade-off: admins must re-confirm destructive actions); run the application service under a least-privileged OS account so arbitrary deletion is confined and cannot remove system-critical or other applications' files (trade-off: none significant beyond standard hardening); and maintain offline backups so any deleted files can be restored. Consult the public write-up above to build detection for anomalous theme-uninstall requests.

Share

CVE-2025-60730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy