CVE-2014-3866

Usercake < 2.0.2 - Cross-Site Request Forgery via User Settings

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3866. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This is a CSRF PoC for User Cake 2.0.2, demonstrating how an attacker can trick a logged-in user into submitting a form that changes their email and password. The exploit leverages lack of CSRF token validation.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in user_settings.php in Usercake 2.0.2 and earlier allow remote attackers to hijack the authentication of administrators for requests that change the (1) administrative password via the passwordc parameter or (2) administrative e-mail address via the email parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dolev Farhi · htmlwebappsphp

https://www.exploit-db.com/exploits/39198

View Code ZIP pw:eip

This is a CSRF PoC for User Cake 2.0.2, demonstrating how an attacker can trick a logged-in user into submitting a form that changes their email and password. The exploit leverages lack of CSRF token validation.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: User Cake 2.0.2

Auth required

Prerequisites: Victim must be logged into User Cake · Victim must be tricked into submitting the form

MITRE ATT&CK

T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit x_refsource_misc

http://research.openflare.org/advisories/OF-2014-11/usercake_csrf.txt

Scores

EPSS 0.0106

EPSS Percentile 60.0%

Details

CWE

CWE-352

Status published

Products (2)

usercake/usercake 2.0.1

usercake/usercake < 2.0.2

Published May 26, 2014

Tracked Since Feb 18, 2026