CMSsite 1.0 is vulnerable to cross‑site request forgery on the users.php endpoint. An attacker can embed malicious HTML forms that, when visited by a logged‑in administrator, automatically submit POST requests carrying parameters such as source=add_user, source=edit_user, or del=1. This flaw permits the attacker to create, alter, or delete admin user accounts without proper authorization. The vulnerability is a classic example of CWE‑352, leading to unauthorized privilege escalation and potential compromise of the entire administrative control plane. The impact is primarily integrity and confidentiality of the administrative domain, as the attacker can subvert the system’s intended user management.

The affected product is CMSsite 1.0, developed by VictorAlagwu. The specific version referenced is 1.0, and the CPE string cpe:2.3:a:victoralagwu:cmssite:1.0 indicates the vulnerable release.

The CVSS score of 5.3 places the vulnerability in the medium severity range. The EPSS score of less than 1% suggests that the likelihood of widespread exploitation in the immediate future is low, and the vulnerability is not listed in the CISA KEV catalog. However, a successful CSRF attack requires the victim to be an authenticated administrator who is lured to a crafted page, an event that can be engineered with social engineering techniques. Attackers would exploit the flaw by hosting malicious content that triggers the POST request, leveraging the victim’s existing session credentials.