CVE-2018-25200 | THREATINT

Description

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access.

PUBLISHED Reserved 2026-03-06 | Published 2026-03-06 | Updated 2026-03-06 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Cross-Site Request Forgery (CSRF)

Product status

1.0

affected

Credits

Ihsan Sencan finder

References

www.exploit-db.com/exploits/45794 (ExploitDB-45794) exploit

www.vulncheck.com/...oss-site-request-forgery-via-adduserphp (VulnCheck Advisory: OOP CMS BLOG 1.0 Cross-Site Request Forgery via addUser.php) third-party-advisory

cve.org (CVE-2018-25200)

nvd.nist.gov (CVE-2018-25200)

Download JSON