CRITICAL🇵🇱 Wersja polska

CVE-2025-26325

CVSS 9.8v3.1pub. 2025-02-27upd. 2025-04-10

ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.

🤖 AI Analysis
How it works

The vulnerability results from insufficient validation of types and content of uploaded files in the ThemeDataService.php component responsible for theme handling. An attacker can upload a file of dangerous type (e.g., PHP script) without needing permissions or user interaction. Once the malicious file is placed on the server, it can be executed remotely in the context of the web application.

Impact

Successful exploitation of this vulnerability allows an attacker to execute code remotely (RCE) on the server, which may lead to complete takeover of the application, data theft, and violation of system integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Temporarily, it is recommended to restrict access to file upload functionality at the firewall or web server level and monitor application directories for unauthorized files.

Who is affected

ShopXO version 6.4.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Shopxo

    APP
    Shopxo
    6.4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-28056CRITICAL9.8ten sam produkt

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in ap...

CVE-2020-19778CRITICAL9.8ten sam produkt

Incorrect Access Control in Shopxo v1.4.0 and v1.5.0 allows remote attackers to gain privileges in "/index.php...

CVE-2021-27817CRITICAL9.8ten sam produkt

A remote command execution vulnerability in shopxo 1.9.3 allows an attacker to upload malicious code generated...

CVE-2019-5886CRITICAL9.8ten sam produkt

An issue was discovered in ShopXO 1.2.0. In the application\install\controller\Index.php file, there is no val...

CVE-2021-41938HIGH7.2ten sam produkt

An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file up...