CVE-2025-5108 is a vulnerability identified in version 6.5.0 of the zongzhige ShopXO e-commerce platform. The flaw resides in the Upload function within the app/admin/controller/Payment.php file, specifically in the ZIP File Handler component. The vulnerability allows an attacker to manipulate the 'params' argument to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, without proper validation or restrictions. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing the risk of exploitation. Although the vendor was notified early, there has been no response or patch released at the time of disclosure. The CVSS 4.0 base score is 5.3, indicating a medium severity level, reflecting the moderate impact on confidentiality, integrity, and availability, and the requirement of low privileges (PR:L) for exploitation. The vulnerability does not require user interaction and can be initiated over the network, but the impact on the system is limited to low confidentiality, integrity, and availability impacts, which suggests that while the attack vector is accessible, the potential damage may be somewhat constrained by the application context or existing controls. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of active exploitation.

For European organizations using ShopXO 6.5.0, this vulnerability poses a risk of unauthorized file uploads that could lead to remote code execution, data tampering, or service disruption. Attackers could upload web shells or malicious payloads, compromising the confidentiality and integrity of sensitive customer and payment data, and potentially disrupting e-commerce operations. Given that ShopXO is an e-commerce platform, the impact could extend to financial fraud, theft of personal data protected under GDPR, and reputational damage. The lack of vendor response and patch availability increases the urgency for organizations to implement mitigations. The medium severity rating suggests that while the vulnerability is exploitable, the overall impact might be mitigated by existing security controls or the specific deployment environment. However, the ability to upload files without restriction remains a critical security concern, especially in environments where ShopXO is integrated with payment processing and customer data management.

European organizations should immediately audit their ShopXO installations to identify if version 6.5.0 is in use. In the absence of an official patch, organizations should implement strict web application firewall (WAF) rules to detect and block suspicious file uploads, especially those targeting the Payment.php upload function. Restricting file types accepted by the upload functionality and enforcing server-side validation can reduce the risk. Additionally, isolating the ShopXO application in a segmented network zone with limited privileges can contain potential exploitation impact. Monitoring logs for unusual upload activity and deploying intrusion detection systems (IDS) tuned for web shell signatures is recommended. Organizations should also consider disabling or restricting the upload feature temporarily if feasible until a vendor patch is released. Regular backups and incident response plans should be updated to address potential exploitation scenarios. Finally, organizations should engage with the vendor or community for updates and consider alternative e-commerce platforms if the vendor remains unresponsive.