PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25370 Admidio CVE debrief

CVE-2018-25370 documents a cross-site request forgery (CSRF) vulnerability in Admidio 3.3.5 that enables low-privilege users to escalate their permissions. The flaw resides in improper origin checking within roles_function.php, allowing attackers to craft malicious HTML forms that set role parameters (rol_assign_roles, rol_approve_users, rol_edit_user) to 1 without requiring authentication. The vulnerability was published to CVE on 2026-05-25 and modified on 2026-05-26. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and low impacts to confidentiality, integrity, and availability within the security scope. The weakness is classified as CWE-352 (Cross-Site Request Forgery). The NVD status is currently Deferred. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Admidio
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations running Admidio 3.3.5 for membership management, particularly those with role-based access control configurations. Security teams responsible for web application security and privilege management. System administrators maintaining Admidio deployments should prioritize verification of current patch levels.

Technical summary

The vulnerability exists in Admidio 3.3.5's roles_function.php due to missing or inadequate CSRF protection. Attackers can construct malicious HTML forms that submit to this endpoint with role permission parameters set to enabled values (1), granting elevated privileges to the attacker's account. The attack succeeds without authentication due to improper origin validation, allowing the forged request to be processed as legitimate. The CVSS 4.0 scoring reflects network accessibility, low attack complexity, and scoped impacts to security boundaries.

Defensive priority

medium

Recommended defensive actions

  • Review Admidio installations for version 3.3.5 and apply vendor patches if available
  • Implement CSRF token validation for all state-changing requests in roles_function.php
  • Configure web application firewall rules to detect and block unauthorized role parameter modifications
  • Enable SameSite cookie attributes to mitigate cross-origin request risks
  • Audit user role assignments for unauthorized privilege escalations
  • Consider implementing additional origin validation and referer checking for sensitive administrative functions

Evidence notes

Vulnerability identified in Admidio 3.3.5 roles_function.php endpoint. CSRF attack vector confirmed through exploit database reference. Vendor identification based on reference domain candidate with low confidence requiring review.

Official resources

2026-05-25