SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote malicious user to add an admin user with role status.
spa-cart spa-cart 1.9.0.3