Description
ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ZeusCart 4.0 includes a cross‑site request forgery flaw that lets an attacker, by luring an authenticated administrator to a malicious site, submit crafted requests to the regstatus endpoint and permanently deactivate customer accounts. This loss of account access disrupts customer service and can damage the merchant’s reputation. The weakness is a CWE‑352 CSRF vulnerability.

Affected Systems

The vulnerability affects the ZeusCart e‑commerce platform, specifically version 4.0. Administrators who log into the backend are the primary exposed users. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate‑to‑high risk level. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widely known exploits as of now. The likely attack vector requires the victim admin to load a malicious page while authenticated, a scenario that only occurs when administrators use shared or unsecured browsers.

Generated by OpenCVE AI on June 1, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ZeusCart release that implements CSRF protection on all state‑changing admin actions, if one is available from the vendor.
  • Enforce the use of secure, non‑shared browsers for administrative sessions to reduce the likelihood that attackers can load malicious pages while an administrator is authenticated.
  • Implement or enable framework‑level CSRF protection for all state‑changing admin actions, ensuring each request includes a valid nonce or token that cannot be guessed.

Generated by OpenCVE AI on June 1, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters.
Title ZeusCart 4.0 Deactivate Customer Accounts CSRF
First Time appeared Zeuscart
Zeuscart zeuscart
Weaknesses CWE-352
CPEs cpe:2.3:a:zeuscart:zeuscart:4.0:*:*:*:*:*:*:*
Vendors & Products Zeuscart
Zeuscart zeuscart
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Zeuscart Zeuscart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T12:28:37.978Z

Reserved: 2026-06-01T12:03:03.490Z

Link: CVE-2018-25435

cve-icon Vulnrichment

Updated: 2026-06-02T12:28:15.435Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:17.007

Modified: 2026-06-02T14:43:49.920

Link: CVE-2018-25435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:30:12Z

Weaknesses