GHSA-hm42-q32m-vj4f: Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests
Summary
The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data.
Details
modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET:
// modules/plugins.php
$mode = admFuncVariableIsValid($_GET, 'mode', 'string');
$pluginName = admFuncVariableIsValid($_GET, 'name', 'string');
The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly.
Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL.
The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements:
// modules/plugins.php - doUninstall()
function doUninstall($pluginFolder) {
// Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql
// Contains DROP TABLE statements
}
Proof of Concept
The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint:
// playwright-csrf-poc.js
const { test, expect } = require('@playwright/test');
test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => {
const context = await browser.newContext();
const page = await context.newPage();
// Step 1: Admin logs
Details
Original advisory: https://github.com/advisories/GHSA-hm42-q32m-vj4f
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53760 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10