CVE-2018-25336
Description
Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla jCart for OpenCart 2.3.0.2 is vulnerable to CSRF, allowing unauthenticated attackers to modify user account information via crafted forms.
Vulnerability
Joomla jCart for OpenCart version 2.3.0.2 contains a cross-site request forgery (CSRF) vulnerability. The extension fails to implement anti-CSRF tokens on user account management endpoints, including /jcart/account/edit.html, /jcart/account/password.html, and /jcart/account/affiliate/edit.html. This allows an attacker to craft malicious HTML forms that, when submitted by an authenticated victim, can modify user credentials, password, and affiliate account details without the victim's consent. The affected version is 2.3.0.2, as identified in the exploit-db entry [1][2][3].
Exploitation
An attacker can exploit this vulnerability by hosting a malicious HTML page containing auto-submitting forms targeting the vulnerable endpoints. The attacker must trick an authenticated victim into visiting the attacker-controlled page (e.g., via phishing or social engineering). No authentication or prior access to the victim's account is required for the attacker. The victim's browser automatically submits the form due to lack of CSRF protections, performing actions such as changing the user's firstname, lastname, email, telephone, password, or affiliate payment details [2].
Impact
Successful exploitation allows the attacker to modify user account information without the victim's knowledge. This can lead to account takeover by altering the email address or password, manipulation of affiliate account settings (e.g., payment method, bank details), and unauthorized disclosure or modification of personal data. The integrity and availability of the user account are compromised, potentially enabling further attacks such as fraudulent transactions or privilege escalation within the e-commerce system [2][3].
Mitigation
No official patch or fixed version has been released as of the publication date. The vendor maintains the extension at the Joomla Extension Directory, but no update addressing this CSRF vulnerability has been identified. Users are advised to implement workarounds such as adding custom CSRF tokens to the vulnerable forms via a Joomla plugin or disabling the jCart extension until a fix is available. The vulnerability is listed in the Exploit Database (EDB-ID 44788) but not in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 2.3.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.