File Upload Vulnerability in Paymenter Webshop Solution
CVE-2025-58048

10CRITICAL

Key Information:

Vendor

Paymenter

Status
Paymenter
Vendor
CVE Published:
28 August 2025

What is CVE-2025-58048?

Paymenter, an open-source webshop solution, contains a file upload vulnerability affecting versions prior to 1.2.11. This flaw allows authenticated users to upload arbitrary files, potentially leading to unauthorized access to sensitive database information and executing arbitrary commands within the context of the web server. To safeguard against this vulnerability, it is recommended to upgrade to version 1.2.11, which addresses this issue, or implement mitigations such as configuring your nginx to force file downloads instead of executing them or restricting access to the /storage/ directory using a web application firewall like Cloudflare.

Affected Version(s)

Paymenter < 1.2.11

References

https://github.com/Paymenter/Paymenter/security/advisorie...
x_refsource_CONFIRM
https://github.com/Paymenter/Paymenter/commit/87c3db42282...
x_refsource_MISC
https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-58048 : File Upload Vulnerability in Paymenter Webshop Solution