Description
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PHP-SHOP 1.0 is vulnerable to a cross‑site request forgery flaw that allows an unauthenticated attacker to create new administrative users. By distributing a malicious page with a hidden form, attackers can cause an authenticated administrator to submit a POST request to users.php, supplying parameters such as name, email, password, and administrative permissions. If the form is submitted successfully, the target application adds a new account with administrator privileges, effectively granting the attacker elevated access over the system. The problem resides in the lack of request forgery protection and is classified under CWE‑352.

Affected Systems

The affected product is PHP‑SHOP by joeyrush, version 1.0 (the master branch). Any instance running this version that exposes the users.php endpoint to authenticated administrators is susceptible to the vulnerability.

Risk and Exploitability

The CVSS score of 6.9 places this issue in the medium‑to‑high severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker first entice a legitimate administrator to visit the malicious page; once the compromised administrator submits the hidden form, a new admin user is created. This attack path highlights the lack of CSRF tokens and proper input validation in the user‑creation flow.

Generated by OpenCVE AI on May 29, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement CSRF tokens or synchronizer‑token patterns on the users.php form submissions to verify legitimate requests.
  • Ensure that only authenticated administrators can access the users.php endpoint, and restrict the POST method to authorized admin roles only.
  • Configure the application or web server to disable or require authentication for the endpoint that creates new users, or modify the logic to reject user‑creation requests lacking proper authorization headers.

Generated by OpenCVE AI on May 29, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.
Title PHP-SHOP 1.0 Cross-Site Request Forgery via users.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:39.095Z

Reserved: 2026-05-29T11:40:39.588Z

Link: CVE-2018-25397

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:19.237

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses