Wolfcms 0.75 (and lower) is prone to multiple CSRF vulnerabilities that allow to delete admin/user, delete web pages, delete “images” and “themes” directory, force logoutĀ when an authenticated admin/user browses a special crafted web page.
This cms is also affected by XSS vulnerabilities in “wolfcms/admin/user/add” pages due to an improper input sanitization of “user[name]”, “user[email]” and “user[username]” parameters passed via POST http method.
To view my Original Advisory:
Wolfcms 0.75 Multiple Vulnerabilities (CSRF-XSS)
Other related publications:
Inj3ct0r
Packet Storm
Secunia
Kaspersky Lab
Offensive Security DB
IBM X-Force Wolfcsm XSS
IBM X-Force Wolfcms CSRF
OSVDB
NIST – NVDB