CVE-2025-58449
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maho | maho | 25.9.0 |
| maho | maho | 25.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-646 | The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Maho ecommerce platform versions prior to 25.9.0. An authenticated staff user who has access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a product listing that includes a file input field. By allowing file uploads with a .php extension, the user can upload malicious PHP files, which can then be executed remotely, leading to remote code execution on the server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated staff user to upload and execute malicious PHP code on the server hosting the Maho ecommerce platform. This can lead to remote code execution, potentially compromising the entire server, exposing sensitive data, disrupting services, or allowing further attacks.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Maho ecommerce platform to version 25.9.0 or later, as this version fixes the vulnerability allowing authenticated staff users to upload malicious PHP files. Additionally, review and restrict permissions for staff users to limit access to Dashboard and Catalog\Manage Products if possible until the upgrade is applied.