expressCart before 1.1.6 allows remote attackers to create an admin user via a /admin/setup Referer header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-732,
Products Affected