Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms


Reported on

Oct 11th 2021


  1. Missing CSRF token in delete posts and delete folder in the frontend
  2. Missing backend CSRF validation in 1) removing and enabling fix status and 2) deleting posts, and 3) delete folder and 4) del_exclude in the indexing page (see Permalinks)
  3. Delete cache

Proof of Concept

Open in index.html
        <form action="http://[FLATCORE-IP]/flatCore-CMS/acp/acp.php?tn=posts" method="POST">
        <input type="hidden" name="delete_id" value="2" />


Attackers can trick admin users into deleting posts and changing fix status.


delete cache backend

missing delete post validation backend

delete_cache frontend

missing delete folder frontend

missing delete folder backend

missing delete element frontend

removed fixed backend

set fixed backend

We created a GitHub Issue asking the maintainers to create a 2 months ago
2 months ago


Hi @admin, maintainer says he will take time to post the,, if possible, could you help me by posting the report links there? Thanks!

haxatron modified their report
2 months ago
haxatron modified their report
2 months ago
Jamie Slome
2 months ago


@haxatron - feel free to share the report URLs on the Github issue that has been created. You are always welcome to share these reports, as the maintainers that view them will be authorised to view.

If the maintainers prefer not to sign up, we request the so that we can send a magic URL, giving them access, to their elected email address.

Patrick validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 1d0259 2 months ago
Patrick has been awarded the fix bounty has been validated has been validated
posts.list.php#L50L59 has been validated
files.browser.php#L191L210 has been validated
files.browser.php#L609L617 has been validated
pages.index.php#L428L438 has been validated
posts.list.php#L11L31 has been validated
posts.list.php#L38L46 has been validated