Redaxo CMS versions 4.7.2 and 5.2 contain a CSRF flaw that permits attackers to add new administrator accounts without the victim’s consent. By directing an authenticated administrator to a crafted HTML form that calls the users endpoint with hidden fields, an attacker can create high‑privilege accounts. The resulting new admin users grant the attacker full control over the CMS, enabling data theft, site defacement, or further compromise of connected services. This vulnerability is defined as a Cross‑Site Request Forgery weakness (CWE‑352).

The vulnerability affects Redaxo CMS 4.7.2 and 5.2. Any installation of these releases, regardless of configuration, is susceptible if the users endpoint is reachable and the application accepts form submissions without validating request origin.

The CVSS score of 6.9 indicates moderate severity; the EPSS score is below 1 %, suggesting a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a legitimate administrator to be authenticated and to visit a malicious page, so the attacker must obtain a session cookie or rely on social engineering. The impact is high for systems where administrators remain online for prolonged periods or are not protected by additional anti‑CSRF controls. Because the attack vector is user‑initiated, mitigations such as timely updates, strong authentication practices, and CSRF protection significantly lower the risk.