PatchSiren cyber security CVE debrief
CVE-2016-7904 Cmsmadesimple CVE debrief
CVE-2016-7904 describes a cross-site request forgery (CSRF) issue in CMS Made Simple that affects versions through 2.1.5. The vulnerable flow involves admin/adduser.php, where an attacker can induce an authenticated administrator to submit a request that creates accounts. The vendor reference and CVE description indicate the issue is addressed in 2.1.6.
- Vendor
- Cmsmadesimple
- Product
- CVE-2016-7904
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-16
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-16
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams running CMS Made Simple, especially instances at version 2.1.5 or earlier. Web application owners should pay particular attention if administrative actions are reachable from browser sessions used by privileged users.
Technical summary
NVD classifies the weakness as CWE-352 (CSRF) and lists the affected CMS Made Simple CPE range as versions up to and including 2.1.5. The CVSS 3.0 vector is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network-reachable impact with user interaction required and high potential impact if the attack succeeds. The CVE description specifically calls out authentication hijacking of administrators for requests that create accounts via admin/adduser.php.
Defensive priority
High. Prioritize remediation for any CMS Made Simple deployment at or below 2.1.5, especially systems used by multiple administrators or exposed to the internet. CSRF affecting account creation can quickly lead to unauthorized access and privilege misuse.
Recommended defensive actions
- Upgrade CMS Made Simple to 2.1.6 or later.
- Inventory all CMS Made Simple installations and confirm the exact version in use.
- Review administrative workflows that create users or change privileges and ensure they are protected against CSRF.
- Restrict access to administrator interfaces to trusted networks or VPNs where feasible.
- Audit existing administrator and newly created accounts for unexpected additions or changes.
- Monitor web logs and application logs for suspicious requests to admin/adduser.php and related admin actions.
Evidence notes
The CVE published date supplied with the record is 2017-01-16T06:59:00.133Z. NVD metadata lists the record as modified on 2026-05-13T00:24:29.033Z; that is record-maintenance timing, not original disclosure timing. Source data identifies CWE-352, the vulnerable version range through 2.1.5, and references the CMS Made Simple changelog advisory, an OSS Security mailing list post, and a SecurityFocus entry.
Official resources
-
CVE-2016-7904 CVE record
CVE.org
-
CVE-2016-7904 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in the CVE record on 2017-01-16. The supplied NVD modified timestamp of 2026-05-13 reflects later record updates, not the original disclosure date.