CVE-2025-12291 identifies an unrestricted file upload vulnerability in the ashymuzuro Full-Ecommece-Website and Muzuro Ecommerce System up to version 1.1.0. The vulnerability exists in the Add Product Page component accessible via /admin/index.php?add_product. This flaw allows an authenticated user with high privileges to upload files without proper validation or restriction. The lack of file type or content validation means attackers can upload malicious scripts or executables, potentially leading to remote code execution, website defacement, or further system compromise. The vulnerability is remotely exploitable and does not require user interaction, but it does require the attacker to have high-level privileges, likely administrative access to the e-commerce backend. The vendor was notified early but has not issued any patches or responses, and no official fixes are currently available. Although no known exploits have been observed in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the moderate impact and attack complexity. The vulnerability affects all installations running versions 1.0 and 1.1.0 of the product. The unrestricted upload capability can be leveraged to deploy web shells or malware, enabling attackers to maintain persistence, steal sensitive data, or disrupt services. This vulnerability highlights the importance of secure file upload handling and timely patching in e-commerce platforms.

For European organizations using the ashymuzuro Full-Ecommece-Website platform, this vulnerability poses significant risks including unauthorized code execution, data breaches, and service outages. Attackers with administrative access can upload malicious files to compromise the integrity and availability of e-commerce websites, potentially leading to financial losses, reputational damage, and regulatory penalties under GDPR if customer data is exposed. The ability to upload arbitrary files can facilitate web shell deployment, enabling persistent access and lateral movement within corporate networks. This threat is particularly concerning for mid-sized and large retailers relying on this platform for online sales. The lack of vendor response and patches increases exposure time, raising the likelihood of exploitation. Additionally, disruption of e-commerce services can impact supply chains and customer trust across the European market. Organizations may also face compliance issues if they fail to adequately protect customer data and maintain secure operations.

Until an official patch is released, European organizations should implement strict access controls to limit administrative access to trusted personnel only. Employ network segmentation to isolate the e-commerce backend from other critical systems. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file uploads or unusual HTTP requests targeting /admin/index.php?add_product. Conduct manual or automated validation of uploaded files to restrict allowed file types and scan for malware. Monitor server logs and file system changes for signs of unauthorized uploads or web shell deployment. Regularly back up website and database content to enable rapid recovery in case of compromise. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts. Engage in threat hunting to identify any early signs of exploitation. Finally, maintain communication channels to receive updates from the vendor or security community regarding patches or workarounds.