CVE-2025-26206
Published: 03 March 2025
Summary
CVE-2025-26206 is a critical-severity CSRF (CWE-352) vulnerability in Selldone Storefront. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26206 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Selldone Storefront version 1.0. The flaw resides in the index.html component and enables a remote attacker to escalate privileges. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and high impacts across confidentiality, integrity, and availability with a changed scope.
An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting a malicious webpage or request that tricks an authenticated user into submitting a forged request to the vulnerable index.html component. User interaction (UI:R) is required, such as clicking a link or loading a page, but successful exploitation allows privilege escalation, potentially granting the attacker elevated access and enabling further compromise with high-impact effects due to the changed scope (S:C).
Advisories and additional details on mitigation are referenced in the Selldone Storefront GitHub repository at https://github.com/selldone/storefront/blob/main/index.html and a dedicated CVE repository at https://github.com/xibhi/CVE-2025-26206. Security practitioners should review these sources for patch information or workarounds specific to the affected component.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5544
Vulnerability details
Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing web application (Sell Done Storefront) enables remote exploitation of public-facing application (T1190) to escalate privileges (T1068) by forging requests to perform privileged actions like changing user roles.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from tricking authenticated users into privilege escalation via the vulnerable index.html component.
SI-10 enforces information input validation, including CSRF tokens or referer checks, to block unauthorized privilege escalation requests exploiting this CSRF vulnerability.
IA-11 mandates re-authentication for sensitive privilege escalation actions, thwarting CSRF attacks that cannot supply valid credentials.