The vulnerability identified as CVE-2025-13423 affects Campcodes Retro Basketball Shoes Online Store version 1.0. It resides in the /admin/admin_product.php file, specifically in an unknown function that processes the product_image argument. This flaw allows an attacker with high privileges to remotely upload files without restriction, bypassing any file type or size validation. The vulnerability does not require user interaction but does require the attacker to have elevated privileges (PR:H). The CVSS 4.0 vector indicates network attack vector (AV:N), low complexity (AC:L), no authentication required (AT:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L), suggesting that while the attacker can upload files, the overall damage potential is limited by the need for high privileges and the scope of the affected system. No patches have been linked yet, and no known exploits are currently active in the wild, but the exploit code is publicly available, increasing the risk of exploitation. The vulnerability could allow attackers to upload malicious scripts or web shells, leading to potential server compromise, data leakage, or defacement. The flaw is particularly critical in environments where the admin interface is exposed or weakly protected. Since the product is an e-commerce platform, exploitation could disrupt business operations or damage customer trust.

For European organizations using Campcodes Retro Basketball Shoes Online Store 1.0, this vulnerability poses a risk of unauthorized file uploads by attackers with high privileges, potentially leading to server compromise, data breaches, or service disruption. Although the impact on confidentiality, integrity, and availability is rated low, the ability to upload arbitrary files can facilitate further attacks such as webshell deployment, malware installation, or defacement. This could result in financial losses, reputational damage, and regulatory penalties under GDPR if customer data is exposed. The risk is heightened for organizations with exposed or poorly secured admin interfaces. Given the medium severity and public availability of exploit code, timely mitigation is essential to prevent exploitation. The threat is more relevant to mid-sized and smaller retailers using this specific platform version, which may lack robust security monitoring.

1. Immediately restrict access to the /admin/admin_product.php interface by IP whitelisting or VPN-only access to limit exposure to trusted administrators. 2. Implement strict server-side validation for file uploads, including checking MIME types, file extensions, and scanning uploaded files for malware. 3. Apply any available patches or updates from Campcodes as soon as they are released. 4. Monitor web server logs and file system changes for suspicious upload activity or unexpected files in upload directories. 5. Employ web application firewalls (WAF) with rules to detect and block malicious file upload attempts targeting the product_image parameter. 6. Conduct regular security audits and penetration tests focusing on the admin interface and file upload functionalities. 7. Educate administrators on secure credential management to prevent privilege escalation that could enable exploitation. 8. Consider isolating the admin interface on a separate network segment to reduce attack surface. 9. Backup critical data and configurations regularly to enable recovery in case of compromise.