CVE-2018-25343

MEDIUM

Smartshop 1 Cross-Site Request Forgery via editprofile.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25343. PoCs published by L0RD.

AI-analyzed exploit summary This is a functional CSRF exploit targeting Smartshop 1's editprofile.php. It demonstrates how an attacker can change the admin password by tricking a victim into submitting a crafted form.

Description

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user.

Exploits (1)

exploitdb WORKING POC
by L0RD · htmlwebappsphp
https://www.exploit-db.com/exploits/44824

This is a functional CSRF exploit targeting Smartshop 1's editprofile.php. It demonstrates how an attacker can change the admin password by tricking a victim into submitting a crafted form.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Smartshop 1
No auth needed
Prerequisites: Victim must be authenticated as admin · Victim must visit the malicious page
devstral-2 · analyzed May 24, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-44824
https://www.exploit-db.com/exploits/44824
Third Party Advisory third-party-advisory
VulnCheck Advisory: Smartshop 1 Cross-Site Request Forgery via editprofile.php
https://www.vulncheck.com/advisories/smartshop-1-cross-site-request-forgery-via-editprofile-php

Scores

CVSS v3 4.3
EPSS 0.0002
EPSS Percentile 3.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
Behance/Smartshop 1.0
Published May 23, 2026
Tracked Since May 24, 2026