CVE-2025-55044 in MuraCMS
Summary
by MITRE • 03/18/2026
The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content to arbitrary parent locations when an authenticated administrator visits a crafted webpage. Successful exploitation of the Trash Restore CSRF vulnerability results in unauthorized restoration of deleted content to potentially inappropriate or malicious locations within the MuraCMS website structure. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that restores specified content from the trash to a location determined by the attacker through the parentid parameter. This can lead to restoration of previously deleted malicious content, placement of sensitive documents in public areas, manipulation of website navigation structure, or restoration of outdated content that was intentionally removed for security or compliance reasons.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/24/2026
The CVE-2025-55044 vulnerability represents a critical Cross-Site Request Forgery flaw within MuraCMS version 10.1.10 and earlier, specifically targeting the cTrash.restore function that governs content restoration operations. This vulnerability stems from the complete absence of CSRF token validation in the affected restore functionality, creating a fundamental security gap that allows attackers to manipulate content management operations without proper authorization. The flaw operates by exploiting the trust relationship between the CMS and authenticated administrator sessions, where malicious actors can craft web pages that automatically submit restore requests when administrators browse to compromised sites.
The technical implementation of this vulnerability demonstrates a classic CSRF attack pattern where the malicious website embeds a hidden form or script that automatically submits a request to the MuraCMS restore endpoint. The exploit leverages the authenticated session of the administrator, using the parentid parameter to specify arbitrary target locations within the CMS structure where restored content will be placed. This parameter manipulation enables attackers to restore deleted content to locations that may contain sensitive data, public-facing areas, or strategic navigation points within the website hierarchy. The vulnerability directly violates the principle of least privilege and session integrity, as it allows unauthorized content placement operations through forged requests.
The operational impact of this vulnerability extends beyond simple content restoration, as it can be leveraged to compromise website security and integrity in multiple ways. Attackers can restore previously deleted malicious code or content that was intentionally removed for security reasons, potentially re-introducing vulnerabilities that were thought to be resolved. The ability to place sensitive documents in public areas creates data exposure risks, while manipulation of navigation structures can disrupt website functionality and user experience. Additionally, the restoration of outdated content that was removed for compliance or security reasons can create regulatory violations and undermine the organization's security posture. This vulnerability particularly affects content management workflows where administrators frequently interact with multiple websites or where session management is not properly enforced.
Security mitigation strategies for CVE-2025-55044 should focus on implementing robust CSRF protection mechanisms within the MuraCMS framework, including mandatory token validation for all content restoration operations. The solution must ensure that every restore request includes a unique, session-specific token that validates the authenticity of the user's intent, preventing automatic execution of restore operations through malicious websites. Organizations should also implement proper input validation and parameter sanitization for the parentid parameter, ensuring that only authorized locations can receive restored content. This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and maps to ATT&CK technique T1566.001 for the initial access phase through malicious websites. Regular security assessments and session management reviews should be conducted to identify similar CSRF vulnerabilities in other CMS components and ensure comprehensive protection against automated exploitation attempts.