CVE-2025-26206
Published: 03 March 2025
Summary
CVE-2025-26206 is a critical-severity CSRF (CWE-352) vulnerability in Selldone Storefront. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from tricking authenticated users into privilege escalation via the vulnerable index.html component.
SI-10 enforces information input validation, including CSRF tokens or referer checks, to block unauthorized privilege escalation requests exploiting this CSRF vulnerability.
IA-11 mandates re-authentication for sensitive privilege escalation actions, thwarting CSRF attacks that cannot supply valid credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing web application (Sell Done Storefront) enables remote exploitation of public-facing application (T1190) to escalate privileges (T1068) by forging requests to perform privileged actions like changing user roles.
NVD Description
Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component
Deeper analysisAI
CVE-2025-26206 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Selldone Storefront version 1.0. The flaw resides in the index.html component and enables a remote attacker to escalate privileges. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and high impacts across confidentiality, integrity, and availability with a changed scope.
An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting a malicious webpage or request that tricks an authenticated user into submitting a forged request to the vulnerable index.html component. User interaction (UI:R) is required, such as clicking a link or loading a page, but successful exploitation allows privilege escalation, potentially granting the attacker elevated access and enabling further compromise with high-impact effects due to the changed scope (S:C).
Advisories and additional details on mitigation are referenced in the Selldone Storefront GitHub repository at https://github.com/selldone/storefront/blob/main/index.html and a dedicated CVE repository at https://github.com/xibhi/CVE-2025-26206. Security practitioners should review these sources for patch information or workarounds specific to the affected component.
Details
- CWE(s)