Impact
The vulnerability is a CSRF flaw in SimplCommerce's NewsItemApiController that permits an unauthenticated attacker to send crafted POST requests to the /api/news-items endpoint. If the victim is an administrator, the malicious request creates or modifies news items without any user interaction. The flaw results from missing anti‑CSRF protection, enabling the attacker to exploit an admin’s active session tokens. The impact is a breach of data integrity and potential confidentiality if sensitive content is involved.
Affected Systems
Any instance of SimplCommerce running a version prior to commit 6233d73e is affected. The news module of SimplCommerce contains the vulnerable endpoint. No specific version range is documented; the fix is provided in the referenced commit.
Risk and Exploitability
The CVSS score of 6.9 signals moderate severity. The EPSS score of <1% indicates a low, but not zero, probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is inferred: an unauthenticated attacker induces an administrator to visit a malicious site that submits a crafted POST to /api/news-items. Because the endpoint lacks anti‑CSRF protection, the transaction can be carried out without user interaction, effectively turning an unprivileged user into a means to privilege‑escalate within the application.
OpenCVE Enrichment