# Bludit CMS CSRF in Plugin and Theme Management Endpoints (CVE-2026-27741) **Author:** Beatriz Fresno Naumova, Ryan Chan (@RyanC34) **Date:** 23/02/2026 **Vendor:** Bludit **Product:** Bludit **Versions affected:** ≤ 3.16.1 **Component:** /admin/uninstall-plugin/ and /admin/install-theme/ endpoints **CWE:** CWE-352 – Cross-Site Request Forgery (CSRF) **Attack type:** Remote **Impact:** Cross-Site Request Forgery (CSRF) leading to unauthorized administrative actions ### Description Bludit versions up to and including 3.16.1 are affected by a Cross-Site Request Forgery (CSRF) vulnerability in the administrative endpoints responsible for plugin uninstallation and theme installation. The application does not implement anti-CSRF tokens, SameSite protections, or request origin validation mechanisms for the `/admin/uninstall-plugin/` and `/admin/install-theme/` endpoints. An attacker can craft a malicious webpage that silently submits forged HTTP requests to these endpoints. If an authenticated administrator visits the attacker-controlled page, the browser automatically includes the active session cookies, resulting in unauthorized execution of administrative actions. Successful exploitation may allow an attacker to uninstall legitimate plugins or install malicious themes, potentially leading to execution of untrusted code and compromise of system integrity. ### Impact #### Primary impact * Unauthorized administrative actions performed in the context of an authenticated administrator. #### Consequences * Unauthorized plugin uninstallation * Installation of malicious themes * Execution of untrusted code * Loss of functionality * Compromise of system integrity ### CVSS Details **CVSS v4.0 Vector:**\ `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` **Base Score:** 5.1 (Medium) **CVSS v3.1 Vector:**\ `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` **Base Score:** 4.3 (Medium) ### Solution At the time of disclosure, no official patch was confirmed in the affected version range. ### Recommendation * Implement anti-CSRF tokens for all state-changing administrative actions * Enforce SameSite cookie attributes * Validate Origin and Referer headers for administrative endpoints * Restrict administrative actions to POST requests with proper validation * Conduct a security review of all privileged endpoints ### Mitigation * Apply CSRF protection mechanisms across all administrative routes * Use framework-level CSRF middleware where available * Implement Content Security Policy (CSP) to reduce exploitability * Monitor administrative actions for anomalies ### Discoverers * Beatriz Fresno Naumova * Ryan Chan (@RyanC34) ### References * **CVE Record:** * **VulnCheck Advisory:** * **Vendor Website:** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://beafn28.gitbook.io/beafn28/cve-and-poc/bludit-cms-csrf-in-plugin-and-theme-management-endpoints-cve-2026-27741.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.