CVE-2025-34133

27.10.2025, 16:15

Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' without validating the fields value; only the presence of the field is checked. An attacker can craft a cross-site request that causes a logged-in victims browser to submit a JSON POST containing an arbitrary or empty 'csrf_token', and the API will execute the request with the victims privileges. Successful exploitation can allow an attacker to perform privileged actions as the victim potentially resulting in account takeover, privilege escalation, or service disruption.

CSRF

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://www.vulncheck.com/advisories/wimi-teamwork-csrf

https://www.wimi-teamwork.com/

https://www.wimi-teamwork.com/product-news/release-7-38/