CVE-2025-15455 identifies an improper authentication vulnerability in the bg5sbk MiniCMS product, specifically affecting versions 1.0 through 1.8. The flaw resides in the delete_page function located in /minicms/mc-admin/page.php within the File Recovery Request Handler component. Due to insufficient authentication checks, an attacker can remotely invoke this function to delete pages without any credentials or user interaction. This vulnerability arises from a failure to properly verify the identity or privileges of the requestor before allowing page deletion operations. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it accessible to unauthenticated attackers. The CVSS v4.0 score is 6.9 (medium), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and partial impact on integrity and availability. Although an exploit has been published publicly, there are no confirmed reports of active exploitation in the wild. The vendor was notified early but has not issued any response or patches, leaving affected systems exposed. This vulnerability threatens the integrity and availability of websites running MiniCMS by allowing unauthorized deletion of content pages, which could disrupt business operations, damage reputation, and require recovery efforts. The lack of authentication enforcement in a critical administrative function represents a significant security lapse in the CMS design.

The primary impact of CVE-2025-15455 is unauthorized deletion of website pages, which compromises the integrity and availability of affected web properties. Organizations relying on MiniCMS versions 1.0 to 1.8 face risks including content loss, website defacement, disruption of services, and potential reputational damage. Since the vulnerability requires no authentication and no user interaction, attackers can automate exploitation at scale, increasing the likelihood of widespread attacks once exploits are integrated into attack toolkits. This can lead to denial of service conditions for website visitors and administrative overhead for recovery and remediation. The absence of vendor patches exacerbates the risk, forcing organizations to rely on compensating controls. Additionally, attackers could leverage this vulnerability as a foothold for further attacks if combined with other vulnerabilities or misconfigurations. Overall, the vulnerability poses a moderate but tangible threat to organizations using the affected CMS versions, especially those with public-facing websites critical to business operations.

1. Immediately restrict access to the MiniCMS administrative interface by implementing IP whitelisting or VPN-only access to reduce exposure to remote attackers. 2. Deploy web application firewalls (WAFs) with custom rules to detect and block requests targeting the delete_page function or suspicious URL patterns related to /minicms/mc-admin/page.php. 3. Monitor web server and application logs for unusual deletion requests or repeated access attempts to the vulnerable endpoint. 4. If possible, disable or remove the delete_page functionality temporarily until a vendor patch or official fix is available. 5. Conduct a thorough inventory of all MiniCMS instances and upgrade to a patched version once released or consider migrating to a more secure CMS platform. 6. Implement regular backups of website content to enable rapid restoration in case of unauthorized deletions. 7. Educate administrators and developers about the vulnerability and encourage vigilance against suspicious activity. 8. Engage with the vendor or community to track patch releases and security advisories related to MiniCMS.