Skip to main content

WISECP EUVDEUVD-2025-209906

| CVE-2025-11954 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-20 TR-CERT GHSA-vxj4-gq73-gm2c
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:30 vuln.today

DescriptionCVE.org

Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery.

This issue affects WISECP: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site request forgery in Sitemio Information Technologies' WISECP product through version 20022026 allows attackers to trick authenticated users into performing unintended state-changing actions by visiting a malicious page. Successful exploitation carries high impact across confidentiality, integrity, and availability (CVSS 8.0), though it requires user interaction and the victim to hold valid low-privilege credentials. No public exploit identified at time of analysis, and the vendor did not respond to disclosure outreach by TR-CERT.

Technical ContextAI

WISECP is a commercial hosting/billing automation platform developed by Turkish vendor Sitemio Information Technologies Trade Ltd. Co., used by hosting providers to manage customer accounts, billing, and service provisioning. The CWE-352 root cause indicates the application accepts state-changing HTTP requests without verifying that the request was intentionally submitted by the authenticated user - typically because anti-CSRF tokens are absent, not validated, or because SameSite cookie protections are not enforced. Per the CPE string cpe:2.3:a:sitemio_information_technologies_trade_ltd._co.:wisecp, the flaw is application-layer and affects the WISECP product itself rather than an underlying framework.

RemediationAI

No vendor-released patch identified at time of analysis - TR-CERT reports that Sitemio did not respond to disclosure outreach, so defenders cannot yet cite a fixed version. Operators of WISECP should monitor https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0262 and the vendor's channels for an update, and in the interim apply compensating controls: enforce SameSite=Strict (or at minimum Lax) on session cookies at the reverse proxy or web server to break cross-origin POST/GET-driven CSRF (note this can break legitimate cross-site embeds or single-sign-on flows), require admin/staff users to log out of WISECP when browsing other sites, place the WISECP admin interface behind IP allow-listing or a VPN to limit who can be CSRF'd, and consider deploying a WAF rule that rejects state-changing requests lacking a same-origin Referer/Origin header (which may produce false positives for users on privacy-restricting browsers). Train privileged users to avoid clicking unknown links while logged in.

Share

EUVD-2025-209906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy