CVE-2018-18842

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the file zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP version 1.5.2.1935 (Zero) [1]. The file can be directly accessed, leading to leakage of the CSRF token when loaded as a JavaScript resource in a script tag [1]. Additionally, the backend regular expression validation for creating new templates or plugins is flawed, which ultimately enables arbitrary PHP code execution [1].

Exploitation

An attacker needs to trick a logged-in administrator into visiting a malicious page that loads theme.js.php as an external script [1]. This page can manipulate the DOM using the leaked CSRF token, allowing the attacker to craft a cross-site request that exploits the weak regex validation on the server. The exact sequence involves obtaining the CSRF token, then forging a request to create a malicious template or plugin containing PHP code [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary PHP code on the server with the privileges of the web server [1]. This can lead to full compromise of the web application, including data theft, defacement, or further server-side attacks [1].

Mitigation

As of the available references, the vendor (zblogcn) was notified via the GitHub issue tracker, but no fixed version or official patch is mentioned [1]. Users should upgrade to a patched version if one becomes available, or apply strict access controls and CSRF protections to the affected endpoint. The product may be end-of-life; consult the vendor for current support status.