CVE-2009-4365

ScriptsEz Ez Blog 1.0 - Cross-Site Request Forgery in admin.php

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4365.

AI-analyzed exploit summary The exploit demonstrates multiple CSRF vulnerabilities in Ez Cart 1.0, allowing actions like deleting items, members, or categories, changing admin info, and sending emails to all members via crafted HTML forms.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ScriptsEz Ez Blog 1.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a blog via the add_blog action, (2) approve a comment via the approve_comment action, (3) change administrator information including the password via the admin_opt action, and (4) delete a blog via the delete action.

Exploits (2)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/10461

View Code ZIP pw:eip

The exploit demonstrates multiple CSRF vulnerabilities in Ez Cart 1.0, allowing actions like deleting items, members, or categories, changing admin info, and sending emails to all members via crafted HTML forms.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Ez Cart 1.0

No auth needed

Prerequisites: Victim must be authenticated as admin and visit a malicious page hosting the exploit forms

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/10458

View Code ZIP pw:eip

The exploit demonstrates multiple XSS and XSRF vulnerabilities in Ez Blog 1.0. It includes functional PoC code for front-end XSS and admin panel actions like adding blogs, approving comments, changing admin info, and deleting blogs.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Ez Blog 1.0

No auth needed

Prerequisites: Access to the target application · Victim interaction for XSS

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/61114

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54895

Exploit x_refsource_misc

http://packetstormsecurity.org/0912-exploits/ezblog-xssxsrf.txt

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/37743

Scores

EPSS 0.0092

EPSS Percentile 55.7%

Details

CWE

CWE-352

Status published

Products (1)

scriptsez/ez_blog 1.0

Published Dec 21, 2009

Tracked Since Feb 18, 2026