Primary

Context

ZeusCart Cross-Site Request Forgery Vulnerability Allowing Account Deactivation

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in ZeusCart version 4.0. This vulnerability allows attackers to perform unauthorized actions on behalf of users by sending crafted requests. Specifically, attackers can deactivate customer accounts through the admin interface by persuading users to visit maliciously controlled pages that trigger requests to the regstatus endpoint with action=deny parameters.

Impact

Exploitation of this vulnerability allows for the unauthorized deactivation of customer accounts, banning them from logging in.

Reproduction

To reproduce this vulnerability, an attacker must create a webpage that sends a request to the ZeusCart admin regstatus endpoint, including the action=deny parameter and the ID of the account to be deactivated. When a user visits this page, their account will be deactivated without their consent.

Added: Jun 1, 2026, 11:05 PM

Updated: Jun 1, 2026, 11:05 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

7.9

remediation

0.0

relevance

9.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

7.9

remediation

0.0

relevance

9.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ZeusCart Cross-Site Request Forgery Vulnerability Allowing Account Deactivation

Vulnerability

Impact

Reproduction

Affected Products

ZeusCart

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating