Description
Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.
Published: 2026-05-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Smartshop 1 contains a CSRF vulnerability that lets attackers modify user profiles by tricking authenticated users into submitting forged requests. When an admin visits a specially crafted HTML page, the hidden form targets editprofile.php with altered email and password fields, and the request is sent automatically. This flaw allows unauthorized users to change account information without knowledge of credentials, potentially escalating privileges or enabling phishing attacks. The weakness is classified as CWE-352, indicating a lack of anti‑CSRF mechanisms.

Affected Systems

The affected product is the Behance Smartshop e‑commerce website, version 1. No specific patch or version information is provided in the CVE data. All installations of Smartshop 1 that expose editprofile.php to authenticated admins are susceptible.

Risk and Exploitability

The CVSS base score for this vulnerability is 5.3, indicating moderate overall risk. No EPSS score is publicly available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be a classic CSRF scenario requiring an authenticated admin to visit a malicious page; thus it does not require network access or local privileges. Exploitation is straightforward – simply lure an admin to a crafted page – but successful attacks depend on the presence of a valid administrator session.

Generated by OpenCVE AI on May 23, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch released by Behance for Smartshop that eliminates the CSRF flaw in editprofile.php.
  • Add a CSRF token to the editprofile.php form and validate it on the server side, ensuring only legitimate submissions are processed.
  • Restrict access to editprofile.php to privileged administrators only, log all profile changes, and audit for unauthorized modifications.

Generated by OpenCVE AI on May 23, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.
Title Smartshop 1 Cross-Site Request Forgery via editprofile.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:45.936Z

Reserved: 2026-05-23T14:44:04.644Z

Link: CVE-2018-25343

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses