Wolfcms 0.75 (and lower) is prone to multiple CSRF vulnerabilities that allow to delete admin/user, delete web pages, delete “images” and “themes” directory, force logout when an authenticated admin/user browses a special crafted web page.
This cms is also affected by XSS vulnerabilities in “wolfcms/admin/user/add” pages due to an improper input sanitization of “user[name]”, “user[email]” and “user[username]” parameters passed via POST http method.
To view my Original Advisory:
Wolfcms 0.75 Multiple Vulnerabilities (CSRF-XSS)
Other related publications:
Offensive Security DB
IBM X-Force Wolfcsm XSS
IBM X-Force Wolfcms CSRF
NIST – NVDB