CVE-2018-25435: ZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
ZeusCart 4.0 is vulnerable to a cross-site request forgery (CSRF) attack that allows an attacker to trick administrators into unknowingly deactivating customer accounts. By crafting a malicious webpage or email link, an attacker can force an admin to submit a request that disables customer access without their knowledge or consent. The attack requires only that an administrator visit an attacker-controlled page while logged into their ZeusCart admin panel.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25435 is a CSRF vulnerability (CWE-352) in ZeusCart 4.0 affecting the account status modification endpoint. The regstatus endpoint does not validate CSRF tokens when processing account deactivation requests with action=deny parameters. An attacker can exploit this by embedding a request in a webpage or crafted link that, when visited by an authenticated administrator, performs the malicious action. The vulnerability requires no special privileges from the attacker but does require that the target be an authenticated admin user at the time of the attack. The attack surface is the admin interface, making this primarily a threat to administrative operations.
Business impact
This vulnerability could result in denial of service to legitimate customers through unauthorized account deactivation. Affected merchants may experience reputation damage, customer support escalation, and potential loss of revenue if customer accounts are systematically disabled. The risk is elevated in multi-administrator environments where staff may visit untrusted links or emails. Incident response and account recovery operations would create operational overhead. Depending on the sensitivity of customer data and contractual SLAs, there may also be regulatory notification requirements.
Affected systems
ZeusCart version 4.0 is confirmed vulnerable. Other versions have not been explicitly identified in available data. Organizations running ZeusCart should verify their version and consult the vendor's security advisories for a complete list of affected and patched releases. If you are using ZeusCart, inventory your instances and confirm whether they are at version 4.0 or have been updated since this vulnerability was published.
Exploitability
This vulnerability has a CVSS score of 5.3 (Medium severity) and is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. The attack vector is network-based and requires no user authentication from the attacker, but does require that an admin user be tricked into visiting an attacker-controlled resource. The complexity is low—no special technical knowledge is required to craft a malicious request. However, social engineering is a prerequisite; the attacker must successfully deceive an administrator into clicking a link or visiting a page. The impact is limited to integrity (account status modification), not confidentiality or availability of data itself.
Remediation
Organizations running ZeusCart 4.0 should immediately contact the vendor or check their official security advisories for patch availability. The primary remediation is to upgrade to a patched version of ZeusCart that implements CSRF token validation on the regstatus endpoint. Until patching is possible, implement compensating controls: enforce CSRF token validation at the application level, restrict admin panel access by IP address, use Content Security Policy headers to prevent unauthorized form submissions, and conduct user awareness training on phishing and social engineering tactics targeting admin staff.
Patch guidance
Consult the official ZeusCart vendor security advisory for the specific patch version that addresses CVE-2018-25435. Patch releases should be tested in a non-production environment before deployment. Verify that the patch includes CSRF token validation on all state-changing administrative endpoints, not just the regstatus function. After patching, confirm that admin users are required to re-authenticate and that CSRF tokens are validated on account modification requests. Document your patching timeline and retain records for audit purposes.
Detection guidance
Monitor application logs for unusual patterns in the regstatus endpoint, particularly requests with action=deny parameters originating from unexpected sources or referrers. Look for a spike in account deactivation events or rapid-fire requests from single IP addresses. Implement anomaly detection on administrative actions: flag when deactivations occur outside normal business hours or from geographies inconsistent with admin user patterns. Network-level detection can identify suspicious cross-origin requests to the admin panel if CSRF tokens are logged. Review admin session logs and referrer headers to identify whether malicious requests came from external domains.
Why prioritize this
Although scored as Medium severity, this vulnerability should receive prompt attention because it directly impacts customer-facing operations and can cause immediate reputational harm. The attack is easy to execute and requires only social engineering; no zero-day exploit knowledge is needed. The affected version (4.0) may still be in use by smaller merchants who lag on updates. Organizations should prioritize based on whether they run ZeusCart, the number of admin users, and the security awareness training level of administrative staff.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a Medium-severity impact limited to integrity (account status), with no confidentiality or availability impact. The attack vector is network-based (AV:N) with low complexity (AC:L) and no privilege requirements (PR:N), making it easy to launch. However, the score does not account for the social engineering requirement, which significantly raises the bar for real-world exploitation. In environments with strong security awareness training and restricted admin access, this risk may trend lower in practice.
Frequently asked questions
Does this vulnerability allow attackers to access customer data or payments?
No. CVE-2018-25435 is limited to CSRF-based account deactivation. It does not grant the attacker access to customer personal information, payment data, or customer accounts themselves. The attacker can only disable accounts on behalf of an admin user through the admin panel.
Do we need to do anything if we're not running ZeusCart?
No. This vulnerability is specific to ZeusCart 4.0. If your organization does not use ZeusCart e-commerce software, you are not affected.
What's the difference between this CSRF vulnerability and a phishing attack?
CSRF tricks a logged-in admin into unknowingly submitting a malicious request while they're already authenticated to ZeusCart. Phishing tricks a user into revealing credentials. This CSRF vulnerability does not require the attacker to steal admin credentials—it exploits the existing trust relationship between the admin and the application.
Why isn't this on CISA's KEV list if it's a Medium severity vulnerability affecting e-commerce?
CISA's KEV catalog prioritizes vulnerabilities being actively exploited in the wild and poses significant risk to federal systems and critical infrastructure. This vulnerability, while real and deserving of attention, either has not been observed in widespread exploitation campaigns or was disclosed after the KEV prioritization window. Medium-severity CSRF vulnerabilities are less frequently weaponized than high-impact RCE or authentication bypass flaws, so inclusion on KEV is less common.
This analysis is provided for informational purposes and represents the state of knowledge as of the published and modified dates. CVSS scores and CWE classifications are derived from official sources. Patch availability and specific remediation steps should be verified directly with the ZeusCart vendor security advisory. Organizations should conduct their own risk assessment based on their environment, deployment, and exposure. This summary does not constitute security advice or endorsement of any particular product or vendor. Always test patches in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-34460MEDIUMNamelessMC OAuth State Validation Flaw Enables Session Hijacking
- CVE-2026-4071MEDIUMBirdSeed WordPress Plugin CSRF Vulnerability – Patch & Detection Guide
- CVE-2026-42073MEDIUMOpenClaude OAuth State Validation Bypass Denial of Service
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-43985HIGHCritical CSRF Vulnerability in Tautulli Admin Endpoint Allows Credential Hijacking