CVE-2025-51605 is a security vulnerability identified in Shopizer version 3.2.7, an open-source e-commerce platform. The core issue lies in the server's Cross-Origin Resource Sharing (CORS) implementation. Specifically, the server reflects the client-supplied Origin header directly into the Access-Control-Allow-Origin response header without any whitelist or validation mechanism. Concurrently, the server enables the Access-Control-Allow-Credentials header set to true. This combination is dangerous because it allows any malicious website (origin) to perform authenticated cross-origin requests to the Shopizer server and read sensitive responses. Normally, CORS policies restrict cross-origin requests to trusted domains, but here, the lack of origin validation effectively disables this protection. The presence of Access-Control-Allow-Credentials: true means that cookies, HTTP authentication, and client-side SSL certificates are included in cross-origin requests, enabling an attacker to leverage a victim's authenticated session. This vulnerability can lead to unauthorized data disclosure, including sensitive customer information, order details, or administrative data accessible via the Shopizer platform. Although no known exploits are reported in the wild yet, the vulnerability is straightforward to exploit by hosting a malicious webpage that triggers cross-origin requests to the vulnerable Shopizer server while the victim is authenticated. The vulnerability does not require user interaction beyond visiting a malicious site, and no authentication bypass is needed since it abuses the victim's existing authenticated session. The absence of a CVSS score indicates this is a newly published issue, reserved in June 2025 and disclosed in August 2025.

For European organizations using Shopizer 3.2.7, this vulnerability poses a significant risk to confidentiality and integrity of sensitive e-commerce data. Attackers can steal session-based information, including customer personal data, payment details, and order histories, potentially violating GDPR regulations and leading to severe legal and financial consequences. The ability to perform authenticated cross-origin requests means attackers can impersonate legitimate users, including administrators, to extract or manipulate data. This can result in loss of customer trust, reputational damage, and operational disruption. Given the e-commerce sector's critical role in European economies, exploitation could also impact supply chains and business continuity. Furthermore, the vulnerability could be leveraged as a foothold for further attacks within an organization's network if administrative credentials or sensitive backend data are exposed. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and potential impact make it a high priority for European entities relying on Shopizer.

Immediate mitigation steps include updating Shopizer to a patched version once available from the vendor. In the absence of an official patch, organizations should implement strict CORS policies by configuring the server to whitelist only trusted origins in the Access-Control-Allow-Origin header and avoid reflecting client-supplied Origin headers. Additionally, the Access-Control-Allow-Credentials header should be disabled unless absolutely necessary and only for trusted origins. Web application firewalls (WAFs) can be configured to detect and block suspicious cross-origin requests with unexpected Origin headers. Organizations should also conduct thorough audits of their Shopizer deployments to identify any unauthorized data access or anomalies. Monitoring network traffic for unusual cross-origin requests and implementing Content Security Policy (CSP) headers can help reduce the attack surface. Finally, educating users about the risks of visiting untrusted websites while authenticated to critical services can reduce the likelihood of exploitation.