CVE-2025-55046
Received Received - Intake
CSRF in MuraCMS Trash Function Causes Permanent Data Loss

Publication date: 2026-03-18

Last updated on: 2026-03-20

Assigner: MITRE

Description
MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-55046
EUVD
EUVD-2025-208834
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
murasoftware mura_cms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MuraCMS through version 10.1.10 and is a Cross-Site Request Forgery (CSRF) issue. It allows attackers to permanently delete all content stored in the trash system without the administrator's consent. The vulnerable function, cTrash.empty, does not validate CSRF tokens, which means a malicious website can trick an authenticated administrator into submitting a hidden form that empties the trash system automatically when they visit the malicious page.

Impact Analysis

The impact of this vulnerability is potentially catastrophic data loss within the MuraCMS system. An attacker can cause all deleted content in the trash system to be permanently erased without any confirmation or user consent, which could result in loss of important data that might have been intended for recovery.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this CSRF vulnerability in MuraCMS, immediate steps should focus on preventing unauthorized requests that empty the trash system.

  • Restrict administrator access to trusted networks and devices to reduce exposure to malicious websites.
  • Advise administrators to avoid visiting untrusted or suspicious websites while logged into the MuraCMS administrative interface.
  • Implement or enforce CSRF token validation in the cTrash.empty function to ensure requests are legitimate.
  • Regularly back up all content, including trashed items, to enable recovery in case of accidental or malicious deletion.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart