CVE-2025-55043
Received Received - Intake
CSRF in MuraCMS Bundle Creation Enables Full Data Exfiltration

Publication date: 2026-03-18

Last updated on: 2026-03-20

Assigner: MITRE

Description
MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-55043
EUVD
EUVD-2025-208831
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
murasoftware mura_cms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in MuraCMS versions up to 10.1.10, specifically in the bundle creation functionality (csettings.cfc createBundle method). It allows unauthenticated attackers to trick administrators into creating and saving site bundles that contain sensitive data to publicly accessible directories without their knowledge.

Because the attack is silent, administrators remain unaware that confidential information has been exposed and can be downloaded by unauthorized parties.

Impact Analysis

This vulnerability can lead to complete data exfiltration from affected MuraCMS installations without requiring any authentication from the attacker.

  • Exposure of user accounts
  • Exposure of password hashes
  • Exposure of form submissions
  • Exposure of email lists
  • Exposure of plugins and site content

Since the sensitive data is saved to publicly accessible web directories, attackers can download this information without detection.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart