CVE-2025-15455 – This vulnerability in MiniCMS allows attackers ... (How to Fix)

Q: What is the severity of CVE-2025-15455?

CVE-2025-15455 has a CVSS score of 6.5 (MEDIUM). This vulnerability in MiniCMS allows attackers to bypass authentication and delete pages remotely without proper credentials. It affects MiniCMS versions up to 1.8. The exploit is publicly available and can be used against internet-facing installations.

📋 TL;DR

This vulnerability in MiniCMS allows attackers to bypass authentication and delete pages remotely without proper credentials. It affects MiniCMS versions up to 1.8. The exploit is publicly available and can be used against internet-facing installations.

💻 Affected Systems

Products:

bg5sbk MiniCMS

Versions: Up to version 1.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the file recovery request handler component at /minicms/mc-admin/page.php

📦 What is this software?

Minicms by 1234n

View all CVEs affecting Minicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website defacement or destruction through unauthorized deletion of all pages, potentially causing business disruption and data loss.

🟠

Likely Case

Selective page deletion leading to content loss, website defacement, and potential SEO damage.

🟢

If Mitigated

No impact if proper authentication controls and network segmentation are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit published on GitHub, requires sending crafted requests to the vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a forked/maintained version if available, or implement workarounds.

🔧 Temporary Workarounds

Authentication Enforcement

all

Add proper authentication checks to the delete_page function in page.php

Edit /minicms/mc-admin/page.php to add session validation before delete operations

Access Restriction

all

Restrict access to the /minicms/mc-admin/ directory using web server configuration

# Apache: Add Require valid-user to .htaccess in mc-admin directory
# Nginx: Add auth_basic directives to location block for mc-admin

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block unauthorized requests to /minicms/mc-admin/page.php
Monitor and alert on any access attempts to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if MiniCMS version is 1.8 or earlier and if /minicms/mc-admin/page.php exists without proper authentication.

Check Version:

Check MiniCMS version in configuration files or admin panel

Verify Fix Applied:

Test if unauthorized requests to delete pages are properly rejected with authentication errors.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /minicms/mc-admin/page.php with delete_page parameter
Failed authentication attempts followed by page deletion requests

Network Indicators:

HTTP requests to vulnerable endpoint without proper authentication headers
Unusual traffic patterns to admin pages

SIEM Query:

source="web_server" AND (uri="/minicms/mc-admin/page.php" AND method="POST" AND NOT user_authenticated="true")

📊 Metadata

CVE ID: CVE-2025-15455

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-287

EPSS Score: 0.19% exploit probability (40.7th percentile)

Published: January 5, 2026

Last Updated: January 21, 2026

🔗 References

https://github.com/ueh1013/VULN/issues/14 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.339488 Permissions Required,VDB Entry
https://vuldb.com/?id.339488 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.725137 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15455, you might also want to check these: