CVE-2025-13423 identifies a vulnerability in the Campcodes Retro Basketball Shoes Online Store version 1.0, specifically in the /admin/admin_product.php file. The flaw arises from insufficient validation of the product_image parameter, which allows an attacker with administrative privileges to perform unrestricted file uploads. This means an authenticated admin user can upload arbitrary files, including potentially malicious scripts, without restrictions on file type or content. Since the vulnerability is located in an admin interface, exploitation requires high-level privileges, but no user interaction is needed once authenticated. The vulnerability is remotely exploitable, enabling attackers to upload web shells or other malicious payloads that could lead to full server compromise, data theft, or defacement. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required (PR:H means high privileges required), no user interaction, and low impact on confidentiality, integrity, and availability individually, but combined they present a moderate risk. No patches or official fixes have been published yet, and no known exploits are reported in the wild, though proof-of-concept code has been disclosed. This vulnerability highlights the importance of secure file upload handling and strict access control in e-commerce platforms.

For European organizations using the Campcodes Retro Basketball Shoes Online Store 1.0, this vulnerability poses a moderate risk. Successful exploitation could allow attackers with admin credentials to upload malicious files, potentially leading to server takeover, unauthorized data access, or disruption of online store operations. This can result in loss of customer trust, financial damage, and regulatory penalties under GDPR if personal data is compromised. The impact on confidentiality, integrity, and availability is moderate but significant due to the administrative nature of the access required. Organizations with weak internal controls or compromised admin accounts are particularly vulnerable. The threat could also facilitate further lateral movement within the network, increasing overall risk.

1. Immediately restrict access to the /admin/admin_product.php interface to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) for admin accounts. 2. Implement strict server-side validation of uploaded files, including checking file types, sizes, and scanning for malicious content before acceptance. 3. Employ allowlists for permitted file extensions and reject all others. 4. Use separate storage locations for uploaded files with no execution permissions to prevent uploaded scripts from running. 5. Monitor logs for unusual file upload activity or admin interface access patterns. 6. If possible, isolate the e-commerce platform in a segmented network zone to limit lateral movement. 7. Regularly update and patch the platform once a vendor fix becomes available. 8. Conduct security audits and penetration tests focusing on file upload functionalities and admin interfaces.