VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25397

CVE-2018-25397

Description

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PHP-SHOP 1.0 is vulnerable to cross-site request forgery, allowing unauthenticated attackers to create admin accounts by tricking authenticated administrators.

Vulnerability

PHP-SHOP 1.0 contains a cross-site request forgery (CSRF) vulnerability in the users.php endpoint. The endpoint accepts POST requests to add new users without requiring a CSRF token or other anti-forgery measures. An attacker can craft a malicious HTML form that automatically submits a POST request to http://127.0.0.1/clone/SHOP-PHP/admin/users.php?add=1 with parameters such as name, email, password, and permissions set to admin,editor. This allows the creation of unauthorized administrative accounts. The vulnerability affects all installations of PHP-SHOP version 1.0 [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a hidden HTML form that auto-submits via JavaScript. The attacker must trick an authenticated administrator into visiting a page containing this form (e.g., via email, social engineering, or hosting on a malicious site). No authentication or prior access is required for the attacker. The form automatically sends a POST request to the users.php endpoint, creating a new admin user with attacker-controlled credentials [1].

Impact

Successful exploitation allows the attacker to create a new administrative account with full privileges. This leads to complete compromise of the PHP-SHOP application, including access to sensitive data, modification of shop settings, and potential further attacks on the underlying server. The impact is high as the attacker gains persistent admin access without any authentication [2].

Mitigation

No official patch has been released for this vulnerability. The PHP-SHOP project appears unmaintained, and version 1.0 is likely end-of-life. As a workaround, administrators should implement CSRF protection (e.g., synchronizer tokens) on the users.php endpoint, restrict access to the admin panel via IP whitelisting or VPN, and educate users about phishing attacks. Until a fix is applied, the vulnerability remains exploitable [1][2].

References
  1. OffSec’s Exploit Database Archive
  2. PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Joeyrush/Php Shopreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing CSRF protection on the admin user creation endpoint allows unauthenticated attackers to forge requests that create administrative accounts."

Attack vector

An unauthenticated attacker crafts a malicious HTML form that automatically submits a POST request to the `admin/users.php?add=1` endpoint [ref_id=1]. The form includes hidden fields for `name`, `email`, `password`, and `permissions` set to `admin,editor`. When an authenticated administrator visits the attacker's page, the form auto-submits via JavaScript, creating a new admin account without the administrator's knowledge or consent. The attack requires no special network position beyond the ability to deliver the HTML page to the victim.

Affected code

The vulnerability exists in the `admin/users.php` endpoint of PHP-SHOP 1.0. The endpoint accepts POST requests to add new users without verifying the origin of the request or requiring a CSRF token. The exploit targets the `users.php?add=1` handler with parameters `name`, `email`, `password`, `confirm`, and `permissions`.

What the fix does

The advisory does not include a patch or vendor fix. To remediate this CSRF vulnerability, the application should implement anti-CSRF tokens on all state-changing forms, validate the `Origin` or `Referer` header on the server side, and require re-authentication for sensitive actions such as creating administrative users. Without these protections, the `users.php` endpoint remains vulnerable to cross-origin form submissions.

Preconditions

  • authAn authenticated administrator must be logged into PHP-SHOP and visit a page controlled by the attacker.
  • inputThe attacker must craft an HTML page containing a hidden form that auto-submits to the admin/users.php endpoint.
  • networkThe victim's browser must have the PHP-SHOP admin session cookie active and same-origin policy must not block the cross-origin form submission.

Reproduction

1. Host the provided HTML form on an attacker-controlled page. 2. Ensure an authenticated PHP-SHOP administrator visits that page. 3. The form auto-submits via `document.forms[0].submit()` to `http://127.0.0.1/clone/SHOP-PHP/admin/users.php?add=1`. 4. A new admin user with name `TEST`, email `TEST2`, password `T3ST123`, and permissions `admin,editor` is created. 5. The attacker can now log in with these credentials and gain full administrative access.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.