Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted.
The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database.
This is a real bug even within the admin trust model: the action should be scoped to the theme's own tables. The permission grants delete this theme's data", not "drop any table".
Details
Location
modules/Theme/Controllers/Theme.php :: deleteProcess() ~line 147
Vulnerable Code
public function deleteProcess(string $slug)
{
$themeName = $slug;
$activeTheme = setting('App.siteTheme');
if ($activeTheme === $themeName) {
return redirect()->route('templateSettings')...;
}
$tablesToDrop = $this->request->getPost('tables'); // ← user-supplied, unvalidated
if (!empty($tablesToDrop) && is_array($tablesToDrop)) {
$forge = \Config\Database::forge();
$db = \Config\Database::connect();
foreach ($tablesToDrop as $table) {
if ($db->tableExists($table)) {
$forge->dropTable($table, true); // ← no whitelist check
}
}
}PoC
- Authenticate to the backend (any user with theme.delete permission)
- POST to
/backend/themes/delete-process/<any_non_active_theme_slug> - Include
tables[]=<any_table>in POST body - The named tables are dropped without validation
Impact
- Dropped
ci4ms_blog(confirmed in test) - Dropped
ci4ms_users+ci4ms_auth_identitiessimultaneously - disables all authentication (confirmed) - Any table in the database can be targeted
Additional note
Quick note on the design intent for deleteProcess - I noticed delete_confirm.php scopes the checkboxes to the theme's own migration files, and the CHANGELOG confirms the selective deletion was intentional (admins can choose which tables to keep). The server-side deleteProcess already has all the information it needs to validate the input - deleteConfirm derives the valid table set from the migration files, deleteProcess just needs to do the same before acting on the POST. Happy to clarify if useful.
AnalysisAI
Arbitrary database table drop in CI4MS theme deletion allows authenticated administrators with theme.delete permission to craft malicious POST requests to the /backend/themes/delete-process/ endpoint and drop any table in the database, including critical tables such as ci4ms_users and ci4ms_auth_identities. The vulnerability exists because the deleteProcess() action accepts user-supplied table names without validating them against the theme's own migration files, violating the principle of least privilege even within the admin trust model. Vendor-released patch 0.31.8.0 implements migration-based whitelist validation to restrict deletions to declared theme tables.
Technical ContextAI
CI4MS is a CodeIgniter 4-based CMS/ERP system that manages themes through a dedicated Theme module. The vulnerable code exists in modules/Theme/Controllers/Theme.php at the deleteProcess() method (~line 147), which interacts with CodeIgniter 4's database forge API. The deleteProcess() action receives a POST parameter 'tables[]' containing table names intended for deletion during theme removal. While the corresponding deleteConfirm view correctly derives valid tables from the theme's migration files, the server-side deleteProcess() does not perform the same validation before passing table names to $forge->dropTable(). This is a classic input validation failure (CWE-20: Improper Input Validation) where user-supplied values are used directly in destructive database operations. The vulnerability affects the Composer package ci4-cms-erp/ci4ms (CPE: pkg:composer/ci4-cms-erp_ci4ms) across versions 0.31.1.0 through 0.31.7.0.
RemediationAI
Vendor-released patch: upgrade to CI4MS version 0.31.8.0 or later. The patch implements migration-based whitelist validation in the Theme::deleteProcess() method, ensuring that only tables declared within the specific theme's migration files can be dropped. Apply the patch immediately via Composer: composer require ci4-cms-erp/ci4ms:0.31.8.0 or update existing installations with composer update ci4-cms-erp/ci4ms. Until patched, restrict access to the theme management backend to only the most trusted administrators and monitor database access logs for unexpected DROP TABLE statements. No compensating controls can reliably prevent exploitation without code modification because the vulnerability requires server-side validation logic that the vulnerable version lacks. The CHANGELOG confirms this fix was intentional by design: the deleteConfirm view scopes checkboxes to the theme's own migration files, and the patch enforces the same scoping on the server side.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28292
GHSA-vgrf-pr28-vf98