CVE-2018-25363

MEDIUM

Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25363. PoCs published by L0RD.

AI-analyzed exploit summary This is a functional CSRF exploit for Twitter-Clone 1 that forces a victim to delete posts by submitting a crafted form. The PoC includes a self-submitting HTML form targeting the tweet deletion endpoint.

Description

Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions.

Exploits (1)

exploitdb WORKING POC
by L0RD · textwebappsphp
https://www.exploit-db.com/exploits/45232

This is a functional CSRF exploit for Twitter-Clone 1 that forces a victim to delete posts by submitting a crafted form. The PoC includes a self-submitting HTML form targeting the tweet deletion endpoint.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Twitter-Clone 1
Auth required
Prerequisites: victim must be authenticated and visit the malicious page
devstral-2 · analyzed May 25, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-45232
https://www.exploit-db.com/exploits/45232
Product product
Official Product Homepage
https://github.com/Fyffe/PHP-Twitter-Clone/
Third Party Advisory third-party-advisory
VulnCheck Advisory: Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php
https://www.vulncheck.com/advisories/twitter-clone-1-cross-site-request-forgery-via-tweetdel-php

Scores

CVSS v3 4.3
EPSS 0.0020
EPSS Percentile 9.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
Fyffe/PHP-Twitter-Clone 1.0
Published May 25, 2026
Tracked Since May 25, 2026