CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53760

mediumCVSS 5.2covered by 1 sourcefirst seen 2026-07-09
Summary The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data. Details modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET: // modules/plugins.php $mode = admFuncVariableIsValid($_GET, 'mode', 'string'); $pluginName = admFuncVariableIsValid($_GET, 'name', 'string'); The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly. Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL. The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements: // modules/plugins.php - doUninstall() function doUninstall($pluginFolder) { // Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql // Contains DROP TABLE statements } Proof of Concept The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint: // playwright-csrf-poc.js const { test, expect } = require('@playwright/test'); test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => { const context = await browser.newContext(); const page = await context.newPage(); // Step 1: Admin logs

⚡ Watch CVE-2026-53760

Get an email if CVE-2026-53760 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53760

CVE.org record

Embed the live status

CVE-2026-53760 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53760 status](https://www.csirts.com/badge/CVE-2026-53760)](https://www.csirts.com/cve/CVE-2026-53760)