phpwcms 1.8.9 allows remote malicious users to discover the installation path via an invalid csrf_token_value field.
phpwcms phpwcms 1.8.9