The vulnerability is a Cross‑Site Request Forgery flaw in Masa CMS’s site bundle creation routine. An attacker can force a logged‑in administrator to silently generate a complete site bundle without providing a valid anti‑CSRF token. The resulting bundle, which is written to a predictable location on the web server, is publicly readable. An unauthenticated attacker can download the bundle to obtain site content, user details, password hashes, form submissions, email lists, plugins, and configuration data. The weakness is identified as CWE‑352 and carries a CVSS score of 7.1. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog.

MasaCMS versions 7.5.2 and earlier are affected. The fix is included in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. Administrators on older revisions with the expose‑public‑bundle feature enabled must update their installation to a fixed release or apply the workaround.

Because the attack can be triggered by a simple malicious link and only requires a logged‑in admin session, the risk is significant for systems running vulnerable versions. The flaw is not currently listed in KEV and lacks an EPSS entry, but the CVSS severity indicates substantive confidentiality loss. Attackers can exploit this by embedding the crafted request in an attacker‑controlled page or email, and only a single privileged session is required to create the exposed bundle. The combiformation of high confidentiality impact and ease of exploitation warrants urgent remediation.