CVE-2025-55046 is a Cross-Site Request Forgery (CSRF) vulnerability affecting MuraCMS versions up to 10.1.10. The vulnerability resides in the cTrash.empty function, which is responsible for emptying the trash system that holds deleted content. This function lacks proper CSRF token validation, a security mechanism designed to ensure that requests to sensitive functions originate from legitimate users and not from malicious third-party sites. As a result, an attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically triggers a hidden form submission that calls the cTrash.empty function. This causes the permanent deletion of all trashed content without any user confirmation or validation. The attack requires the administrator to be logged in and to visit the malicious page, but no additional privileges or complex interactions are needed. The vulnerability impacts the integrity and availability of data, as it causes irreversible loss of content stored in the trash system. The CVSS v3.1 score of 8.1 reflects the high impact and relatively low complexity of exploitation, with no privileges required but user interaction necessary. Although no known exploits are currently reported in the wild, the lack of patches and the critical nature of the vulnerability make it a significant risk for organizations relying on MuraCMS for content management.

The primary impact of CVE-2025-55046 is catastrophic data loss within MuraCMS environments. Organizations using affected versions risk permanent deletion of all trashed content, which may include important documents, media, or other critical data awaiting restoration. This compromises data integrity and availability, potentially disrupting business operations, content workflows, and compliance with data retention policies. Since the attack requires an authenticated administrator to visit a malicious webpage, targeted spear-phishing or social engineering campaigns could be used to trigger the exploit. The loss of trashed content might not be recoverable if no backups exist, leading to operational downtime and reputational damage. Additionally, organizations may face increased costs related to data recovery efforts and incident response. The vulnerability does not impact confidentiality directly but can indirectly affect trust and operational continuity.

To mitigate CVE-2025-55046, organizations should immediately implement the following measures: 1) Restrict administrator access to trusted networks and devices to reduce exposure to malicious webpages. 2) Educate administrators about the risks of visiting untrusted websites while logged into MuraCMS and enforce strict browsing policies. 3) Employ web application firewalls (WAFs) to detect and block suspicious CSRF attack patterns targeting the cTrash.empty function. 4) Monitor administrator activity logs for unusual trash emptying events and establish alerting mechanisms. 5) Regularly back up all content, including trashed items, to enable recovery in case of data loss. 6) If possible, apply custom patches or temporary CSRF token validation on the cTrash.empty endpoint until an official patch is released. 7) Use browser security features such as SameSite cookies to reduce CSRF risks. 8) Limit the number of administrators with trash-emptying privileges to minimize the attack surface. These steps go beyond generic advice by focusing on operational controls, monitoring, and temporary technical mitigations in the absence of an official patch.