CVE-2025-26325
Published: 27 February 2025
Summary
CVE-2025-26325 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Shopxo Shopxo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26325 affects ShopXO version 6.4.0 and involves an unrestricted file upload vulnerability in the ThemeDataService.php component. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical severity due to network-based access, low complexity, lack of authentication or user interaction requirements, and high potential impacts across confidentiality, integrity, and availability. The vulnerability was published on 2025-02-27.
Unauthenticated remote attackers can exploit this flaw over the network without privileges or user interaction. By uploading malicious files through the vulnerable ThemeDataService.php endpoint, attackers can achieve high-impact outcomes, including potential remote code execution, data compromise, or system disruption, as indicated by the CVSS metrics.
The issue is documented in GitHub issue #86 on the gongfuxiang/shopxo repository (https://github.com/gongfuxiang/shopxo/issues/86), where security practitioners should review for any disclosed patches, workarounds, or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5496
Vulnerability details
ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app (ThemeDataService.php) directly enables remote unauthenticated exploitation (T1190) for malicious file ingress (T1105) and web shell deployment leading to RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires identifying, reporting, and correcting system flaws like this unrestricted file upload vulnerability through timely patching.
SI-10 mandates information input validation at entry points, directly preventing unrestricted uploads of dangerous file types via ThemeDataService.php.
SI-9 enforces input restrictions to block invalid or malicious files, mitigating CWE-434 unrestricted file uploads without authentication.