VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 23, 2026· Updated May 26, 2026

CVE-2018-25343

CVE-2018-25343

Description

Smartshop 1 is vulnerable to CSRF via editprofile.php, allowing attackers to modify admin profile data by tricking an authenticated admin into visiting a malicious page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Smartshop 1 is vulnerable to CSRF via editprofile.php, allowing attackers to modify admin profile data by tricking an authenticated admin into visiting a malicious page.

Vulnerability

Smartshop version 1, an e-commerce PHP/MySQL website [3], contains a cross-site request forgery (CSRF) vulnerability in the editprofile.php file. The application lacks anti-CSRF tokens, allowing attackers to forge requests to modify user profiles. The vulnerable parameter handling in editprofile.php accepts email, password, and confirmation fields via POST without validating the request origin [1][2].

Exploitation

An attacker can craft an HTML form that automatically submits POST requests to the editprofile.php endpoint on the target Smartshop installation. The form includes hidden fields for email, password, and confirmation parameters. An authenticated admin user only needs to visit the malicious page (e.g., via a crafted link or phishing email) for the form to auto-submit using JavaScript [2]. No additional interaction beyond visiting the page is required. The attacker can change the admin's email and password, effectively hijacking the account.

Impact

Successful exploitation allows an attacker to change the email address and password of the admin user. This results in complete account takeover, leading to unauthorized access to the admin panel. The attacker can then perform any administrative actions, such as modifying products, users, or site settings. The impact is primarily integrity and availability loss, as the attacker can alter site content and potentially lock out the legitimate admin [1][2].

Mitigation

A patched version has not been disclosed in the available references. Since the latest known version is 1.0 [1] and the project appears unmaintained (last update in 2017) [3], users should implement a web application firewall (WAF) rule to block POST requests to editprofile.php that lack a valid CSRF token, or manually add anti-CSRF tokens to the application. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Smartshop 1 Cross-Site Request Forgery via editprofile.php
  2. OffSec’s Exploit Database Archive
  3. Smartshop - Free e-commerce website - Ismail Ghallou

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing CSRF token validation in editprofile.php allows an attacker to forge profile modification requests."

Attack vector

An attacker crafts an HTML page containing a hidden form that auto-submits to the vulnerable editprofile.php endpoint [ref_id=1]. The form includes hidden fields for email, password, and confirmation parameters, targeting the admin profile update functionality. When an authenticated admin user visits the attacker's page, the form automatically submits via JavaScript, modifying the admin's email and password without their consent [ref_id=1]. The attack requires no special privileges beyond tricking an already-authenticated admin into loading the malicious page.

Affected code

The vulnerable endpoint is editprofile.php in the admin directory of Smartshop 1 [ref_id=1]. The file processes POST parameters for email, password, and confirmation without verifying the request origin or requiring a CSRF token.

What the fix does

No patch is provided in the bundle. The advisory does not specify a fix, but the standard remediation for CSRF is to implement anti-CSRF tokens — unique, unpredictable values embedded in each form that the server validates on submission. Without such tokens, the application cannot distinguish between a legitimate request originating from its own UI and a forged request from an external page [ref_id=1].

Preconditions

  • authThe victim must be authenticated as an admin user in Smartshop 1.
  • networkThe attacker must be able to deliver a crafted HTML page to the victim's browser (e.g., via a link, iframe, or hosted page).
  • inputThe attacker must know or guess the URL path to editprofile.php (default: http://127.0.0.1/clone/Smartshop-master/admin/editprofile.php).

Reproduction

1. Log in as an admin user on a Smartshop 1 instance. 2. Host the PoC HTML page (provided in the exploit) on an attacker-controlled server or deliver it via any means. 3. While authenticated, visit the hosted PoC page. The page auto-submits a POST request to editprofile.php with hidden fields setting email to "decode@test.com" and password to "1234". 4. The admin's email and password are silently changed, allowing the attacker to log in with the new credentials [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.