Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms


Reported on

Oct 11th 2021


  1. Missing CSRF token in delete posts and delete folder in the frontend
  2. Missing backend CSRF validation in 1) removing and enabling fix status and 2) deleting posts, and 3) delete folder and 4) del_exclude in the indexing page (see Permalinks)
  3. Delete cache

Proof of Concept

Open in index.html
        <form action="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts" method="POST">
        <input type="hidden" name="delete_id" value="2" />


Attackers can trick admin users into deleting posts and changing fix status.


delete cache backend

missing delete post validation backend

delete_cache frontend

missing delete folder frontend

missing delete folder backend

missing delete element frontend

removed fixed backend

set fixed backend

We created a GitHub Issue asking the maintainers to create a a year ago
a year ago


Hi @admin, maintainer says he will take time to post the,, if possible, could you help me by posting the report links there? Thanks!

haxatron modified the report
a year ago
haxatron modified the report
a year ago
Jamie Slome
a year ago


@haxatron - feel free to share the report URLs on the Github issue that has been created. You are always welcome to share these reports, as the maintainers that view them will be authorised to view.

If the maintainers prefer not to sign up, we request the so that we can send a magic URL, giving them access, to their elected email address.

Patrick validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick marked this as fixed with commit 1d0259 a year ago
Patrick has been awarded the fix bounty
This vulnerability will not receive a CVE has been validated has been validated
posts.list.php#L50L59 has been validated
files.browser.php#L191L210 has been validated
files.browser.php#L609L617 has been validated
pages.index.php#L428L438 has been validated
posts.list.php#L11L31 has been validated
posts.list.php#L38L46 has been validated
to join this conversation