CVE-2008-6729

phpmotion < 2.1 - Cross-Site Request Forgery via Password or Email Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6729. PoCs published by Ausome1.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in PHPmotion <= 2.1, allowing an attacker to change a victim's password and email by tricking them into visiting a malicious webpage with a hidden iframe.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in password.php in PHPmotion 2.1 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that modify an account via the (1) password or (2) email_address parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Ausome1 · textwebappsphp
https://www.exploit-db.com/exploits/7557

This exploit demonstrates a CSRF vulnerability in PHPmotion <= 2.1, allowing an attacker to change a victim's password and email by tricking them into visiting a malicious webpage with a hidden iframe.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: PHPmotion <= 2.1
No auth needed
Prerequisites: Victim must be logged into PHPmotion · Victim must visit attacker-controlled webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33309
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/50999
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47585
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7557

Scores

EPSS 0.0024
EPSS Percentile 47.4%

Details

CWE
CWE-352
Status published
Products (3)
phpmotion/phpmotion 1.0
phpmotion/phpmotion 2.0
phpmotion/phpmotion < 2.1
Published Apr 20, 2009
Tracked Since Feb 18, 2026