CVE-2009-4366

ScriptsEz Ez Blog 1.0 - Cross-Site Scripting via yr Parameter in bmonth Action

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-4366. PoCs published by Milos Zivanovic.

AI-analyzed exploit summary This exploit demonstrates multiple CSRF vulnerabilities in Ez Cart 1.0, allowing actions such as deleting items, members, or categories, changing admin credentials, and sending emails to all members. The PoC includes HTML forms and direct URLs to trigger these actions without proper authentication checks.

Description

Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez Blog 1.0 allows remote attackers to inject arbitrary web script or HTML via the yr parameter in a bmonth action.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Milos Zivanovic · textwebappsphp

https://www.exploit-db.com/exploits/10461

View Code ZIP pw:eip

This exploit demonstrates multiple CSRF vulnerabilities in Ez Cart 1.0, allowing actions such as deleting items, members, or categories, changing admin credentials, and sending emails to all members. The PoC includes HTML forms and direct URLs to trigger these actions without proper authentication checks.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Ez Cart 1.0

No auth needed

Prerequisites: Victim must be authenticated as an admin in Ez Cart · Attacker must trick the victim into visiting a malicious page or clicking a link

MITRE ATT&CK

T1189 - Drive-by Compromise T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Milos Zivanovic · textwebappsphp

https://www.exploit-db.com/exploits/10458

View Code ZIP pw:eip

The exploit demonstrates multiple XSS and XSRF vulnerabilities in Ez Blog 1.0. It includes functional PoC code for front-end XSS and admin panel actions like adding blogs, approving comments, changing admin info, and deleting blogs.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Ez Blog 1.0

No auth needed

Prerequisites: Access to the target application · Victim interaction for XSS

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/61113

Exploit x_refsource_misc

http://packetstormsecurity.org/0912-exploits/ezblog-xssxsrf.txt

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/37743

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/54894

Scores

EPSS 0.0152

EPSS Percentile 71.4%

Details

CWE

CWE-79

Status published

Products (1)

scriptsez/ez_blog 1.0

Published Dec 21, 2009

Tracked Since Feb 18, 2026