CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-hm42-q32m-vj4f: Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests

mediumCVSS 5.2CVE-2026-53760
Summary The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data. Details modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET: // modules/plugins.php $mode = admFuncVariableIsValid($_GET, 'mode', 'string'); $pluginName = admFuncVariableIsValid($_GET, 'name', 'string'); The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly. Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL. The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements: // modules/plugins.php - doUninstall() function doUninstall($pluginFolder) { // Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql // Contains DROP TABLE statements } Proof of Concept The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint: // playwright-csrf-poc.js const { test, expect } = require('@playwright/test'); test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => { const context = await browser.newContext(); const page = await context.newPage(); // Step 1: Admin logs

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.2
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-hm42-q32m-vj4f

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53760coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories