CVE-2025-15455 identifies a security vulnerability in the bg5sbk MiniCMS content management system, specifically versions 1.0 through 1.8. The flaw exists in the delete_page function located in the /minicms/mc-admin/page.php file, part of the File Recovery Request Handler component. The vulnerability is due to improper authentication checks, allowing remote attackers to invoke the delete_page function without valid credentials or user interaction. This means an attacker can remotely delete pages from the CMS without logging in or any prior authentication, potentially causing unauthorized content removal or website defacement. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the lack of authentication and ease of exploitation but limited to integrity and availability impacts without confidentiality loss. The vendor was contacted early but has not issued any patches or advisories, and no official fixes are available at this time. An exploit has been published publicly, increasing the risk of exploitation, although no active exploitation in the wild has been reported yet. This vulnerability could be leveraged by attackers to disrupt website operations, damage reputation, or prepare for further attacks by removing critical content or administrative pages. Organizations using MiniCMS should be aware of this risk and implement immediate mitigations to prevent unauthorized deletions.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of web content managed by MiniCMS. Unauthorized deletion of pages can lead to service disruption, loss of critical information, and reputational damage, especially for public-facing websites or those providing essential services. Organizations in sectors such as government, education, media, and small-to-medium enterprises that rely on MiniCMS for content management could face operational interruptions. The lack of authentication requirement and remote exploitability increase the likelihood of attacks, potentially leading to defacement or denial of service. While confidentiality is not directly impacted, the integrity and availability consequences can affect trust and compliance with data protection regulations like GDPR if service disruptions impact user data access or service continuity. Additionally, the absence of vendor response and patches means organizations must rely on internal controls and monitoring to mitigate risks. The medium severity score suggests a significant but not critical threat, yet the public availability of exploits elevates urgency for European entities to act promptly.

Since no official patches or vendor responses are available, European organizations should implement compensating controls immediately. These include restricting access to the /minicms/mc-admin/page.php file and the delete_page function via network-level controls such as IP whitelisting or firewall rules to limit access to trusted administrators only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized delete_page requests. Conduct thorough logging and monitoring of CMS administrative actions to detect suspicious deletion attempts. Consider isolating MiniCMS instances from the public internet or placing them behind VPNs or secure gateways requiring strong authentication. Regularly back up CMS content to enable rapid restoration in case of unauthorized deletions. Organizations should also monitor threat intelligence feeds for any updates or patches from the vendor or community. If feasible, evaluate alternative CMS platforms with active security support. Finally, educate administrators about the vulnerability and the importance of immediate mitigation steps to reduce risk exposure.