Skip to main content

CS-Cart CVE-2025-50850

HIGH
Improper Access Control (CWE-284)
2025-07-31 cve@mitre.org
8.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
vuln.today AI
9.1 CRITICAL

Network, unauthenticated, low-complexity automated guessing; successful login fully compromises one vendor account's data (C:H/I:H) but causes no availability impact, so A:N replaces the inflated A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:07 vuln.today

DescriptionCVE.org

An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.

AnalysisAI

Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).

Technical ContextAI

CS-Cart is a PHP-based multi-vendor e-commerce platform whose vendor panel authenticates sellers who manage products, orders, and payouts. The weakness maps to CWE-284 (Improper Access Control): the authentication surface enforces no anti-automation defenses, so the login handler will process an unbounded number of credential submissions without throttling, CAPTCHA challenge, or lockout after repeated failures. The single affected build is identified by CPE cpe:2.3:a:cs-cart:cs-cart:4.18.3, and the flaw is a missing-control weakness rather than a memory-safety or injection bug - the endpoint behaves as designed but lacks the guardrails expected on a public authentication interface.

RemediationAI

No vendor-released patch identified at time of analysis, so apply compensating controls directly on the vendor login flow: enforce CAPTCHA (e.g., reCAPTCHA/hCaptcha) on the vendor login form to break automation; implement server-side rate limiting and progressive delays keyed on source IP and username; and enable account lockout or temporary throttling after a threshold of failed attempts (trade-off: attacker-driven lockouts can deny service to legitimate vendors, so prefer soft throttling plus alerting over hard lockout). At the edge, place the vendor panel behind a WAF or reverse-proxy rate-limit rule and, where feasible, restrict the vendor login endpoint to known vendor IP ranges or a VPN (trade-off: reduces convenience for distributed sellers). Enforce strong password policy and mandatory MFA for vendor accounts to neutralize the value of guessed passwords. Monitor the referenced advisory (https://github.com/hackerwahab/CS-Cart-Vulns/blob/main/CVE-2025-50850.md) and CS-Cart release notes for an official fixed version, and do not deploy any invented version number.

CVE-2015-2701 MEDIUM POC
6.8 Mar 25

Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of

CVE-2016-4862 HIGH
8.8 Apr 20

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remot

CVE-2017-2138 HIGH
8.8 Aug 02

Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), C

CVE-2017-15673 HIGH
7.2 Nov 28

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP

CVE-2025-50847 MEDIUM
6.5 Jul 31

Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated

CVE-2025-50848 MEDIUM
6.1 Jul 31

Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users o

CVE-2021-32202 MEDIUM
6.1 Sep 14

In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the b

CVE-2017-10886 MEDIUM
5.4 Nov 17

Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multiv

CVE-2017-2139 MEDIUM
5.3 Apr 28

CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and ear

CVE-2013-0118 MEDIUM
5.0 Feb 24

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient

CVE-2013-7317 MEDIUM
4.3 Jan 24

Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary w

Share

CVE-2025-50850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy