CVE-2018-25435

MEDIUM

ZeusCart 4.0 - Cross-Site Request Forgery via regstatus Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25435. PoCs published by mqt.

AI-analyzed exploit summary The exploit demonstrates a CSRF vulnerability in ZeusCart 4.0, allowing an attacker to deactivate customer accounts by tricking a victim into visiting a malicious page. The PoC uses an HTML image tag to send a crafted request to the admin endpoint.

Description

ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters.

Exploits (1)

exploitdb WORKING POC
by mqt · htmlwebappsphp
https://www.exploit-db.com/exploits/46027

The exploit demonstrates a CSRF vulnerability in ZeusCart 4.0, allowing an attacker to deactivate customer accounts by tricking a victim into visiting a malicious page. The PoC uses an HTML image tag to send a crafted request to the admin endpoint.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: ZeusCart 4.0
No auth needed
Prerequisites: Victim must be logged into ZeusCart admin panel · Attacker must know the target customer ID
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46027
Various Sources product
http://http://www.zeuscart.com/

Scores

CVSS v3 5.3
EPSS 0.0002
EPSS Percentile 4.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
zeuscart/ZeusCart 4.0
Published Jun 01, 2026
Tracked Since Jun 02, 2026