CVE-2018-18449
Description
EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EmpireCMS 7.5 has a CSRF vulnerability allowing attackers to add arbitrary user accounts via the admin panel.
Vulnerability
EmpireCMS 7.5 contains a cross-site request forgery (CSRF) vulnerability in the user addition functionality. The action enews=AddUser in e/admin/user/ListUser.php does not validate the request origin, enabling attackers to forge malicious requests. This issue is similar to CVE-2018-16339. Affected version: 7.5 [1].
Exploitation
An attacker can craft a CSRF page (as demonstrated in the proof-of-concept [1]) that, when visited by an authenticated administrator, silently submits a request to add a new user. The attacker only needs to trick a logged-in admin into visiting the crafted page; no additional privileges or network position is required.
Impact
Successful exploitation allows the attacker to add a user account with arbitrary username and password, potentially gaining administrative access to the EmpireCMS backend. This can lead to full compromise of the CMS and its data.
Mitigation
No official patch is mentioned in the available references. Users should implement CSRF tokens manually or restrict access to the admin panel (e.g., via IP whitelist or VPN). The vendor may have addressed this in a later version, but this is not confirmed. Similar issues (CVE-2018-16339) were fixed in EmpireCMS 7.5 update.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =7.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/w3irdo001/demo/blob/master/3.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.