Cyber Resilience

CVE-2025-1891

MediumPublic PoC

Published: 04 March 2025

Published
04 March 2025
Modified
28 August 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 54.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1891 is a medium-severity CSRF (CWE-352) vulnerability in Qzw1210 Shishuocms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1891 is a cross-site request forgery (CSRF) vulnerability, classified as problematic, affecting shishuocms version 1.1. The issue impacts some unknown processing within the software and is associated with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, and user interaction needed.

An attacker can exploit this vulnerability remotely by manipulating a victim into submitting a malicious request, such as via a crafted link or form on a malicious site. No attacker privileges are required, but the victim must be authenticated to shishuocms and interact with the attacker's payload. Successful exploitation enables limited integrity impacts, potentially allowing unauthorized actions on the victim's behalf without affecting confidentiality or availability.

References from VulDB and a GitHub repository document the vulnerability, noting that the exploit has been publicly disclosed and may be used. No specific patches, vendor advisories, or mitigation guidance are detailed in the provided sources.

EU & UK References

Vulnerability details

A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may…

more

be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing web CMS enables exploitation of public-facing applications to perform unauthorized actions via crafted requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1169Shared CWE-352, CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2026-42083Shared CWE-862
CVE-2025-23558Shared CWE-352
CVE-2026-0656Shared CWE-862
CVE-2025-68722Shared CWE-352
CVE-2026-24532Shared CWE-862

Affected Assets

qzw1210
shishuocms
1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 directly mitigates this CVE by requiring identification, reporting, and correction of the specific CSRF flaw in shishuocms 1.1.

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly countering CSRF attacks that forge requests on behalf of authenticated users.

prevent

SI-10 mandates validation of information inputs, including anti-CSRF tokens, to block forged requests exploiting this vulnerability.

References