CVE-2025-5108

Name of the Vulnerable Software and Affected Versions ShopXO version 6.5.0

Description A critical issue affects the Upload function of the file app/admin/controller/Payment.php in the ZIP File Handler component. The manipulation of the params argument leads to unrestricted upload. This issue can be exploited remotely.

Recommendations For version 6.5.0, as a temporary workaround, consider disabling the Upload function in the Payment controller until a patch is available. Restrict access to the app/admin/controller/Payment.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.