CS-Cart
CVE-2025-50850
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Network, unauthenticated, low-complexity automated guessing; successful login fully compromises one vendor account's data (C:H/I:H) but causes no availability impact, so A:N replaces the inflated A:H.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.
AnalysisAI
Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).
Technical ContextAI
CS-Cart is a PHP-based multi-vendor e-commerce platform whose vendor panel authenticates sellers who manage products, orders, and payouts. The weakness maps to CWE-284 (Improper Access Control): the authentication surface enforces no anti-automation defenses, so the login handler will process an unbounded number of credential submissions without throttling, CAPTCHA challenge, or lockout after repeated failures. The single affected build is identified by CPE cpe:2.3:a:cs-cart:cs-cart:4.18.3, and the flaw is a missing-control weakness rather than a memory-safety or injection bug - the endpoint behaves as designed but lacks the guardrails expected on a public authentication interface.
RemediationAI
No vendor-released patch identified at time of analysis, so apply compensating controls directly on the vendor login flow: enforce CAPTCHA (e.g., reCAPTCHA/hCaptcha) on the vendor login form to break automation; implement server-side rate limiting and progressive delays keyed on source IP and username; and enable account lockout or temporary throttling after a threshold of failed attempts (trade-off: attacker-driven lockouts can deny service to legitimate vendors, so prefer soft throttling plus alerting over hard lockout). At the edge, place the vendor panel behind a WAF or reverse-proxy rate-limit rule and, where feasible, restrict the vendor login endpoint to known vendor IP ranges or a VPN (trade-off: reduces convenience for distributed sellers). Enforce strong password policy and mandatory MFA for vendor accounts to neutralize the value of guessed passwords. Monitor the referenced advisory (https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md) and CS-Cart release notes for an official fixed version, and do not deploy any invented version number.
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remot
Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), C
The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP
Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated
Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users o
In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the b
Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multiv
CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and ear
CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient
Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary w
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today