CVE-2025-58449 is a high-severity vulnerability affecting MahoCommerce's open-source ecommerce platform 'maho' versions prior to 25.9.0. The vulnerability arises from improper validation of file uploads in the product catalog management interface. Specifically, an authenticated staff user with permissions to access the Dashboard and manage product catalogs can create a custom product option that includes a file input field. This input field improperly allows uploading files with a .php extension. Because the platform does not sufficiently validate or restrict the file type, an attacker with the required permissions can upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely on the server, resulting in remote code execution (RCE). This flaw is categorized under CWE-646, which refers to reliance on file name or extension of externally supplied files, a common pitfall in file upload handling. The vulnerability requires authentication with elevated privileges (staff user with specific permissions) and some user interaction (creating or modifying product options). The CVSS 4.0 score of 8.7 reflects the high impact and exploitability, considering network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. The vulnerability was fixed in version 25.9.0 of maho. No known exploits are reported in the wild yet, but the potential for damage is significant due to the ability to execute arbitrary code remotely on ecommerce servers, which often contain sensitive customer and business data.

For European organizations using MahoCommerce's maho platform, this vulnerability poses a significant risk. Successful exploitation could lead to full server compromise, allowing attackers to steal sensitive customer data, manipulate product listings or pricing, disrupt ecommerce operations, or use the compromised server as a foothold for further attacks within the corporate network. Given that ecommerce platforms are critical for revenue and customer trust, an RCE vulnerability can result in financial losses, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The requirement for authenticated staff access somewhat limits the attack surface but insider threats or compromised staff credentials could be leveraged by attackers. Additionally, supply chain attacks or phishing campaigns targeting staff could facilitate exploitation. The high severity and potential for widespread disruption make this vulnerability particularly concerning for European retailers and businesses relying on maho for online sales.

European organizations should immediately upgrade all affected mahoCommerce installations to version 25.9.0 or later, where this vulnerability is patched. Beyond patching, organizations should enforce strict access controls and monitoring on staff accounts with Dashboard and Catalog Manage Products permissions to reduce the risk of insider threats or credential compromise. Implement multi-factor authentication (MFA) for all staff users to mitigate unauthorized access. Conduct regular audits of uploaded files and server directories to detect any unauthorized PHP scripts or suspicious files. Employ web application firewalls (WAFs) configured to detect and block malicious file uploads and execution attempts. Additionally, consider isolating the ecommerce platform in a segmented network zone with limited access to critical backend systems. Educate staff about phishing and social engineering risks to prevent credential theft. Finally, implement robust logging and alerting mechanisms to quickly identify and respond to suspicious activities related to file uploads or code execution attempts.