CVE-2018-25190

MEDIUM

Easyndexer 1.0 - Unauthenticated Cross-Site Request Forgery via createuser.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25190. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in Easyndexer 1.0, allowing an attacker to create an admin user via a crafted POST request. It also includes a method to download the database file, exposing sensitive data.

Description

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username, password, name, surname, and privileges set to 1 for administrator access.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45815

The exploit demonstrates a CSRF vulnerability in Easyndexer 1.0, allowing an attacker to create an admin user via a crafted POST request. It also includes a method to download the database file, exposing sensitive data.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Easyndexer 1.0
No auth needed
Prerequisites: access to the target application
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45815

Scores

CVSS v3 5.3
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
rul10/easyndexer 1.0
Published Mar 06, 2026
Tracked Since Mar 06, 2026