CVE-2018-25200 MEDIUM

CVE-2018-25200: OOP CMS BLOG 1.0 Cross-Site Request Forgery via addUser.php

Vendor Zsoft

Product OOP CMS BLOG

Weakness CWE-352 · CSRF

Published March 6, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

Description

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access.

Key dates

Disclosure timeline

March 6, 2026 CVE published

March 9, 2026 Record updated