Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account.
Published May 22, 2020.
Gilacms Gila CMS