PerfreeBlog
CVE-2025-60730
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Network CSRF-style delivery needing victim interaction (UI:R, PR:N); arbitrary deletion is an integrity impact (I:H), no disclosure (C:N), limited availability (A:L).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
PerfreeBlog v4.0.11 has an arbitrary file deletion vulnerability in the unInstallTheme function
AnalysisAI
Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusing the unInstallTheme theme-management function. Publicly available exploit code exists, though the flaw is not on CISA KEV and carries a low EPSS score (0.31%, 22nd percentile), indicating limited real-world exploitation to date. The CVSS 3.1 vector (PR:N/UI:R) implies an unauthenticated attacker who tricks an interacting user into triggering the deletion, consistent with a CSRF-style delivery against an administrator.
Technical ContextAI
PerfreeBlog is a lightweight Java-based blogging/CMS platform (vendor site perfree.org.cn), affecting version 4.0.11 per CPE cpe:2.3:a:perfree:perfreeblog:4.0.11. The root cause is classified as CWE-459 (Incomplete Cleanup): the unInstallTheme routine, intended to remove a theme's files during uninstallation, does not properly constrain or sanitize the target path, so a supplied theme/path value can traverse outside the themes directory and delete arbitrary files on the host filesystem. In practice this is a path-handling failure in a privileged administrative maintenance operation where the cleanup logic trusts caller-supplied identifiers.
RemediationAI
No vendor-released patched version is identified in the available data, so no fixed version can be cited; monitor the vendor site https://perfree.org.cn/ and the project's release channel for an update addressing CVE-2025-60730 and upgrade as soon as a patched build is published. As compensating controls until then: restrict access to the theme-management/administration interface to trusted networks or VPN so the unInstallTheme endpoint cannot be reached broadly; enforce anti-CSRF tokens and re-authentication on theme uninstall actions to blunt the UI:R/CSRF delivery path (trade-off: admins must re-confirm destructive actions); run the application service under a least-privileged OS account so arbitrary deletion is confined and cannot remove system-critical or other applications' files (trade-off: none significant beyond standard hardening); and maintain offline backups so any deleted files can be restored. Consult the public write-up above to build detection for anomalous theme-uninstall requests.
More in Perfreeblog
View allIn PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component
Arbitrary file read in PerfreeBlog v4.0.11 allows unauthenticated remote attackers to read files outside the intended we
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system
Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malici
Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload ma
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. Rated high severity (C
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. Rated high severity (CV
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. Rated medium severity (CVSS 6.3), th
Same weakness CWE-459 – Incomplete Cleanup
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today