Cross-Site Request Forgery (CSRF) in publify/publify


Reported on

Oct 9th 2021


An attacker is able to craft an URL with special parameters, what contains the theme switching command. Upon sending the malicious link to a logged-in administrator, the theme is being changed.

Proof of Concept

With an admin user, simply open the following URL (please replace the hostname):


Within the default installation, there are 2 themes:

  • plain
  • bootstrap-2

Just simply replace the value with the theme name, and the selected will be activated.


Upon an administrator receives a link containing the change of the site's theme, can lead to bricking the site, because in the case of more complex themes, the mapping might not work properly

We have contacted a member of the publify team and are waiting to hear back 2 years ago
Matijs van Zuijlen validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago
Matijs van Zuijlen marked this as fixed with commit b4b740 2 years ago
Matijs van Zuijlen has been awarded the fix bounty
This vulnerability will not receive a CVE
themes_controller.rb#L23 has been validated
to join this conversation