CVE-2018-25397

EIP tracks 1 public exploit for CVE-2018-25397. PoCs published by Alireza Norkazemi.

AI-analyzed exploit summary This is a functional CSRF exploit for PHP-SHOP 1.0 that adds an admin user via a crafted HTML form with auto-submission. The exploit leverages lack of CSRF protection in the admin user creation endpoint.

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.