MEDIUM
joeyrush
CVE published 2026-05-29
CVE-2018-25397
PHP-SHOP 1.0 contains a cross-site request forgery (CSRF) vulnerability in the users.php endpoint. An unauthenticated attacker can craft a malicious HTML form that, when visited by an authenticated administrator, automatically submits a POST request to create a new administrative user with elevated privileges. The vulnerability stems from missing CSRF token validation on the user creation functionality, a [truncated]