8 matches found
CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...
EUVD-2020-31233
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts...
CVE-2026-4312
Affected product: DrangSoft GCB/FCB Audit Software. Vulnerability: Missing Authentication, enabling unauthenticated remote attackers to directly access APIs and create a new administrative account. Impact/risks: High impact on confidentiality, integrity, and availability as per CVSS metrics (CRIT...
EUVD-2018-21652
OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and ro...
CVE-2026-3589 WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example...
WordPress Plugin 'LA Studio Element Kit for Elementor' < 1.6.0 Unauthenticated Privilege Escalation via Backdoor
The WordPress application running on the remote host has a version of the 'LA Studio Element Kit for Elementor' plugin that is prior to 1.6.0. It is, therefore, affected by an unauthenticated privilege escalation vulnerability. The plugin contains a backdoor that allows unauthenticated attackers ...
CVE-2020-37091
Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FA...
CVE-2018-0417
A vulnerability in TACACS authentication with Cisco Wireless LAN Controller WLC Software could allow an authenticated, local attacker to perform certain operations within the GUI that are not normally available to that user on the CLI. The vulnerability is due to incorrect parsing of a specific...