Description
Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.
Published: 2026-05-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Smartshop 1 contains a CSRF vulnerability that lets attackers modify user profiles by tricking authenticated users into submitting forged requests. When an admin visits a specially crafted HTML page, the hidden form targets editprofile.php with altered email and password fields, and the request is sent automatically. This flaw allows unauthorized users to change account information without knowledge of credentials, potentially escalating privileges or enabling phishing attacks. The weakness is classified as CWE-352, indicating a lack of anti‑CSRF mechanisms.

Affected Systems

The affected product is the Behance Smartshop e‑commerce website, version 1. No specific patch or version information is provided in the CVE data. All installations of Smartshop 1 that expose editprofile.php to authenticated admins are susceptible.

Risk and Exploitability

The CVSS base score for this vulnerability is 5.3, indicating moderate overall risk. No EPSS score is publicly available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be a classic CSRF scenario requiring an authenticated admin to visit a malicious page; thus it does not require network access or local privileges. Exploitation is straightforward – simply lure an admin to a crafted page – but successful attacks depend on the presence of a valid administrator session.

Generated by OpenCVE AI on May 23, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch released by Behance for Smartshop that eliminates the CSRF flaw in editprofile.php.
  • Add a CSRF token to the editprofile.php form and validate it on the server side, ensuring only legitimate submissions are processed.
  • Restrict access to editprofile.php to privileged administrators only, log all profile changes, and audit for unauthorized modifications.

Generated by OpenCVE AI on May 23, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Behance
Behance smartshop
Vendors & Products Behance
Behance smartshop

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.
Title Smartshop 1 Cross-Site Request Forgery via editprofile.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Behance Smartshop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-27T16:10:36.062Z

Reserved: 2026-05-23T14:44:04.644Z

Link: CVE-2018-25343

cve-icon Vulnrichment

Updated: 2026-05-27T16:10:31.040Z

cve-icon NVD

Status : Deferred

Published: 2026-05-23T19:16:54.200

Modified: 2026-05-26T19:37:32.587

Link: CVE-2018-25343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T11:33:31Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)