Primary

Context

ShopXO File Upload Vulnerability in ThemeDataService.php

Vulnerability

A file upload vulnerability has been identified in ShopXO version 6.4.0, specifically within the ThemeDataService.php file. The issue arises because while the application checks file extensions, it fails to validate the actual content of the files being uploaded. This oversight allows for potentially malicious files to be uploaded and executed.

Impact

Exploitation of this vulnerability could lead to remote code execution, as uploaded files can be executed by the server.

Reproduction

To reproduce this vulnerability, upload a file with a checked extension (such as .html) that contains PHP code. The file will be executed on the server, demonstrating the vulnerability.

Remediation

It is recommended to implement a content filter for uploaded files to ensure that only safe, intended file types are allowed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ShopXO File Upload Vulnerability in ThemeDataService.php

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ShopXO

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating