CVE-2018-25397 joeyrush CVE debrief

Who should care

Organizations running PHP-SHOP 1.0; web application security teams; developers maintaining legacy PHP e-commerce platforms

Technical summary

The users.php endpoint in PHP-SHOP 1.0 fails to validate CSRF tokens on POST requests for user creation. An attacker can construct an HTML form with hidden fields preset to create an administrative user (name, email, password, permissions=admin) and host it on an attacker-controlled domain. When an authenticated administrator visits the malicious page, the form auto-submits via JavaScript or is triggered by social engineering, causing the browser to include the administrator's session cookies with the request. The server processes the request as legitimate, creating the unauthorized admin account. No anti-CSRF tokens, origin validation, or referer checking prevents this attack.

Defensive priority

medium

Recommended defensive actions

• Implement CSRF token validation on all state-changing endpoints, particularly users.php
• Add SameSite cookie attributes to session cookies to mitigate cross-origin request risks
• Require re-authentication or secondary confirmation for sensitive administrative actions such as user creation with elevated privileges
• Review and audit all administrative endpoints for missing CSRF protections
• Consider implementing Content Security Policy (CSP) headers to reduce impact of injected malicious forms

Evidence notes

CVE published 2026-05-29T16:16:19.237Z; modified 2026-05-29T16:29:11.350Z. VulnCheck advisory confirms CSRF via users.php endpoint with parameters including name, email, password, and permissions. Exploit-DB entry 45636 documents the attack vector. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction required for the attacker (though victim administrator interaction is implied by CSRF nature). Weakness classified as CWE-352 (Cross-Site Request Forgery).

Official resources