CVE-2025-15456
Unknown Unknown - Not Provided
Improper Authentication in bg5sbk MiniCMS Publish Page Handler

Publication date: 2026-01-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15456
EUVD
EUVD-2026-0913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bg5sbk minicms to 1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15456 is an improper authentication vulnerability in MiniCMS up to version 1.8, specifically in the file /mc-admin/page-edit.php. The flaw occurs because the system removes the mc_token cookie, which is supposed to authenticate users, during the page creation POST request but still processes the request. This allows unauthorized users to edit and publish pages without proper permission verification, effectively bypassing authentication controls. [1, 2, 3]

Impact Analysis

This vulnerability can have serious impacts including unauthorized editing and publishing of pages, leading to copyright infringement, misinformation dissemination, damage to platform credibility, legal disputes, regulatory penalties, economic losses for content creators, and disruption of the online content ecosystem. It can also facilitate malicious activities such as smear campaigns and rumor spreading, undermining user trust and platform reputation. [1, 2]

Compliance Impact

The vulnerability can negatively affect compliance with standards and regulations such as GDPR and HIPAA by exposing the platform to regulatory penalties due to unauthorized content modification, misinformation, and potential data integrity issues. This undermines the platform's ability to maintain data accuracy, integrity, and trustworthiness required by such regulations. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the /mc-admin/page-edit.php endpoint that contain parameters such as title, content, and file, especially if these requests lack a valid mc_token cookie. Additionally, attackers may be found by searching for access attempts using Google dorking with the query inurl:mc-admin/page-edit.php. A proof-of-concept involves capturing POST requests to this endpoint and checking if requests without the mc_token cookie are accepted. Specific commands are not provided, but network monitoring tools or web application firewalls can be configured to log and alert on such suspicious POST requests. [2, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Implement strict permission verification at the start of /mc-admin/page-edit.php by validating user login status and the validity of the mc_token cookie, rejecting unauthorized requests with a 403 HTTP status code. 2) Enhance validation of critical POST parameters such as file, title, and state to prevent parameter tampering. 3) Strengthen cookie validation by linking mc_token to user sessions, regularly updating tokens, and verifying cookie integrity. 4) Upgrade MiniCMS to a newer, patched version and update the PHP environment to a more secure version than 5.2.17. 5) Add operation log auditing to record user identity, timestamp, IP address, and content changes for monitoring and incident response. If a patched version is not available, consider using alternative products. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart