Login Sign Up

CVE-2020-25263

7.1 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in PyroCMS allows attackers to trick authenticated admin users into unknowingly deleting arbitrary plugins via a malicious link or webpage. It affects PyroCMS 3.7 installations with admin access enabled, potentially disrupting website functionality by removing critical components.

💻 Affected Systems

Products:
  • PyroCMS
Versions: 3.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin user authentication; vulnerability exists in default configuration of affected version.

📦 What is this software?

Pyrocms by Pyrocms

View all CVEs affecting Pyrocms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers delete essential plugins, causing complete website functionality loss, data corruption, or service disruption requiring full restoration from backups.

🟠

Likely Case

Malicious actors delete non-critical plugins, causing partial functionality loss, broken features, or requiring plugin reinstallation and configuration.

🟢

If Mitigated

With proper CSRF protections, the attack fails, and no plugin deletion occurs, maintaining system integrity.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated admin users; public proof-of-concept demonstrates the CSRF attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8 or later

Vendor Advisory: https://github.com/pyrocms/pyrocms

Restart Required: No

Instructions:

1. Update PyroCMS to version 3.8 or later. 2. Verify the update via the admin panel. 3. Test plugin management functionality.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection to the vulnerable endpoint manually if patching is delayed.

Modify the vulnerable controller to include CSRF token validation

Restrict Admin Access

all

Limit admin panel access to trusted IP addresses only.

Configure web server (e.g., Apache .htaccess or Nginx config) to restrict /admin/* paths to specific IPs

🧯 If You Can't Patch

  • Implement network segmentation to isolate the PyroCMS instance from untrusted networks.
  • Use browser extensions that block CSRF attempts and educate admin users about phishing risks.

🔍 How to Verify

Check if Vulnerable:

Check if running PyroCMS version 3.7; inspect the admin/addons/uninstall/anomaly.module.blocks endpoint for missing CSRF protection.

Check Version:

Check the PyroCMS admin dashboard or inspect the composer.json file for version information.

Verify Fix Applied:

Confirm PyroCMS version is 3.8 or later; test the vulnerable endpoint with a CSRF attempt to ensure it fails.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /admin/addons/uninstall/anomaly.module.blocks without referrer validation
  • Multiple plugin deletion events from single admin session

Network Indicators:

  • HTTP requests to the vulnerable endpoint without CSRF tokens from unexpected sources

SIEM Query:

source="web_logs" AND uri="/admin/addons/uninstall/anomaly.module.blocks" AND method="POST" AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2020-25263
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
CWE: CWE-352
Published: October 8, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25263, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)