CVE-2025-63712 identifies a Cross-Site Request Forgery vulnerability in the SourceCodester Product Expiry Management System, specifically targeting the delete-user.php script within the User Management module. The vulnerability arises because the endpoint relies solely on session cookies to authenticate requests and lacks any CSRF protection mechanisms such as anti-CSRF tokens or origin checks. This design flaw allows an attacker to craft a malicious webpage that, when visited by an authenticated user, triggers a cross-origin GET request to delete arbitrary user accounts without the user's consent. The attack exploits the victim's active session, leveraging the browser's automatic inclusion of session cookies in requests. The vulnerability is classified under CWE-352, indicating a failure to implement proper CSRF defenses. The CVSS v3.1 base score is 4.5, reflecting a medium severity level due to the requirement for user interaction and authenticated privileges (PR:H). The impact is primarily on integrity, as unauthorized deletion of user accounts can disrupt system administration and user access. Availability and confidentiality impacts are minimal or none. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-10-27 and published on 2025-11-10.

For European organizations using the SourceCodester Product Expiry Management System, this vulnerability poses a risk of unauthorized deletion of user accounts, potentially leading to disruption of user management workflows and administrative operations. Such disruptions could affect internal processes reliant on user roles and permissions, causing operational delays or loss of access for legitimate users. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise could facilitate further attacks if critical administrative accounts are removed. Organizations with complex user hierarchies or those relying heavily on this system for product expiry management may experience significant operational challenges. Additionally, the need for user interaction and authenticated sessions limits the attack scope but does not eliminate risk, especially in environments with less stringent user awareness or where social engineering is feasible. The absence of known exploits reduces immediate threat but does not preclude future exploitation.

To mitigate CVE-2025-63712, organizations should implement robust CSRF protections in the affected application. This includes adding anti-CSRF tokens to all state-changing requests, especially those that delete or modify user accounts, and verifying these tokens server-side before processing requests. Changing the HTTP method for deletion operations from GET to POST or DELETE can reduce risk, as GET requests should be idempotent and safe. Additionally, validating the HTTP Referer or Origin headers can help ensure requests originate from trusted sources. Enforcing multi-factor authentication and session timeout policies can reduce the window of opportunity for exploitation. Regularly auditing user management logs for unexpected deletions and educating users about phishing and social engineering risks are also recommended. If possible, updating or patching the Product Expiry Management System to a version that addresses this vulnerability is ideal, though no patches are currently available. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block suspicious cross-origin requests targeting the delete-user.php endpoint.