File Manager Vulnerability in Innoshop Affecting Admin Panel
CVE-2025-52921

9.9CRITICAL

Key Information:

Vendor: Innoshop
Status: Innoshop
Vendor: CVE Published:; 23 June 2025

What is CVE-2025-52921?

In versions of Innoshop through 0.4.1, a security flaw exists in the file management functionality of the admin panel. Authenticated attackers can exploit this vulnerability by uploading a malicious file and subsequently renaming it to a .php extension. This process circumvents existing frontend checks that are intended to restrict file type changes. The attacker's ability to utilize proxy tools, like BurpSuite, allows for the bypassing of security measures that should prevent this action. Once the crafted file is renamed, it can be executed on the server via a simple GET request, leading to potential server compromise.

Affected Version(s)

InnoShop 0 <= 0.4.1

References

https://github.com/innocommerce/innoshop

https://medium.com/@The_Hiker/how-i-found-multiple-cves-i...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2025
Vulnerability Reserved
Jun 21, 2025