# Exploit Title: PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin) # Google Dork: N/A # Date: 10-03-2019 # Exploit Author: Gionathan "John" Reale # Vendor Homepage: https://github.com/piluscart # Software Link: https://sourceforge.net/projects/pilus/files/PiLUS/1.4.1/PiLUS-1.4.1-Ubiungu-stable.zip/download # Version: 1.4.1 # Tested on: ParrotOS # CVE : N/A PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator. PoC: