CVE-2018-25397: CSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
PHP-SHOP 1.0 is vulnerable to cross-site request forgery (CSRF), a class of attack where malicious actors craft hidden web forms designed to trick authenticated administrators into unknowingly adding new admin accounts. An attacker creates a deceptive webpage containing a concealed form that automatically submits admin account creation requests when an authenticated admin visits the page. This allows the attacker to gain administrative control without needing the victim's credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25397 is a CSRF vulnerability in PHP-SHOP 1.0 affecting the users.php endpoint. The vulnerability exists because the application does not implement CSRF protections (such as synchronizer tokens or SameSite cookie attributes) on administrative user creation functionality. An unauthenticated attacker can craft HTML containing a hidden form with POST parameters for name, email, password, and admin permissions. When an authenticated administrator is tricked into visiting a page hosting this malicious form, the browser automatically submits the request in the admin's authenticated session context, bypassing access controls and creating an unauthorized privileged account. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N reflects network-based attack surface, low attack complexity, no privilege requirements, but importantly requires no user interaction in the technical sense—though social engineering is the practical attack vector. The integrity impact reflects account creation and privilege escalation risk.
Business impact
Successful exploitation grants attackers persistent administrative access to the PHP-SHOP application. This enables unauthorized configuration changes, data theft, user account compromise, or malicious content injection. While the CVSS score is moderate, the functional impact is severe: admin-level compromise can lead to complete application takeover, affecting stored customer and transaction data. For organizations relying on PHP-SHOP for e-commerce or content management, this represents a clear path to credential persistence and lateral movement into downstream systems.
Affected systems
PHP-SHOP version 1.0 is the affected product. The vendors_products field in the source data is empty, indicating limited vendor verification in the original submission; organizations using PHP-SHOP should verify their exact version against the PHP-SHOP project release history or check for patched derivatives. Legacy or self-hosted installations of PHP-SHOP 1.0 are at direct risk.
Exploitability
This vulnerability is straightforward to exploit from a technical perspective. An attacker needs only to host a webpage containing HTML with a CSRF payload targeting the users.php endpoint. No authentication is required on the attacker side, and the attack leverages the browser's automatic credential transmission to execute the malicious request. The primary barrier is social engineering—convincing an authenticated administrator to visit the attacker's page. Once that occurs, account creation happens automatically without further user interaction, making this a high-confidence attack if admin visitation can be achieved. No public exploit code is known to be active as of the publication date, but the attack surface is well-understood and low-skill attackers could quickly weaponize this.
Remediation
The immediate remedy is to upgrade PHP-SHOP to a patched version addressing CSRF protections. Verify against the PHP-SHOP project advisories for the exact fixed release. Interim mitigation includes implementing CSRF tokens on all state-changing operations, enforcing SameSite cookie policies (Strict or Lax), and educating administrators about phishing risks. Web Application Firewalls can provide partial protection by detecting anomalous cross-site form submissions, though token-based defenses are the proper fix.
Patch guidance
Consult the PHP-SHOP project repository or official vendor advisories for patched releases. Organizations should prioritize testing patches in a staging environment given that admin account creation is a sensitive operation. If PHP-SHOP 1.0 is no longer actively maintained, consider migrating to a modern, supported e-commerce or CMS platform with built-in CSRF protections.
Detection guidance
Monitor web application logs for POST requests to users.php with admin-related parameters originating from unexpected referrer headers or cross-origin sources. Endpoint detection and response tools should flag unusual admin account creation events, particularly those occurring outside normal admin activity windows or from non-admin IP ranges. Review web server and PHP-SHOP logs for session anomalies. Network-based detection can identify outbound admin traffic from compromised sessions.
Why prioritize this
Although the CVSS score is moderate (5.3), the functional impact warrants elevated priority. Successful exploitation directly enables persistent administrative access—the highest privilege level in an application. For organizations running PHP-SHOP 1.0, this should be treated as a high-priority remediation item because the attack is low-friction, the impact is severe, and no exploit complexity or privilege requirements exist on the attacker side. Organizations not running PHP-SHOP can safely deprioritize, but those running it should patch or migrate immediately.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects: network-accessible attack vector with low complexity, no requirement for prior authentication or user privileges on the attacker side, and no confidentiality or availability impact. However, the integrity impact is marked as low due to the scope being unchanged—but in practice, creating unauthorized admin accounts is a privilege escalation with cascading integrity and availability consequences. The score does not fully capture the post-exploitation risk of admin compromise. Organizations should apply business context: for PHP-SHOP deployments handling sensitive data, the effective risk is substantially higher than the base score suggests.
Frequently asked questions
What is a cross-site request forgery, and how does this vulnerability differ from CSRF in other systems?
CSRF is an attack where a malicious site tricks your browser into making unwanted requests to another site on which you're logged in. This vulnerability is not unique to PHP-SHOP—CSRF is a general web security risk—but PHP-SHOP 1.0's lack of anti-CSRF tokens makes it particularly vulnerable. The attacker doesn't need to know the admin's password; they just need to craft a form targeting the admin account creation endpoint and socially engineer the admin into visiting the attacker's page.
If I'm running PHP-SHOP 1.0, what is my immediate action item?
First, verify your exact version and check the PHP-SHOP project for available patches. If a patch exists, test and deploy it immediately since admin account compromise is a critical risk. If no patch is available and the project is unmaintained, begin planning a migration to a modern, actively supported e-commerce platform. In the interim, restrict network access to the admin panel, enforce strong authentication, and educate administrators about phishing attempts.
Can a firewall or WAF protect me against this?
A WAF can provide partial defense by detecting anomalous cross-site requests, but it is not a substitute for proper code-level CSRF defenses. The only reliable fix is for the application to implement CSRF tokens on all state-changing operations. Use WAF rules as a temporary layer while you patch or migrate.
Is this vulnerability actively exploited in the wild?
CVE-2018-25397 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no confirmed widespread exploitation has been reported. However, the simplicity of the attack and the legacy nature of PHP-SHOP mean that opportunistic attackers targeting outdated installations may have weaponized this vulnerability. Do not assume absence from KEV means the vulnerability is not exploited.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. SEC.co does not guarantee the accuracy or completeness of external references, vendor advisories, or patch availability. Always verify patch details against official vendor sources before deployment. This advisory does not constitute legal, compliance, or professional security advice. Organizations must conduct their own risk assessment based on their infrastructure and threat landscape. Exploitation details are intentionally limited to prevent weaponization; refer to vendor security bulletins for comprehensive technical guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2026-4071MEDIUMBirdSeed WordPress Plugin CSRF Vulnerability – Patch & Detection Guide
- CVE-2026-42073MEDIUMOpenClaude OAuth State Validation Bypass Denial of Service
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-43985HIGHCritical CSRF Vulnerability in Tautulli Admin Endpoint Allows Credential Hijacking