CVE-2025-58449 is a high-severity vulnerability affecting MahoCommerce's open-source ecommerce platform 'maho' in versions prior to 25.9.0. The vulnerability arises from improper validation of file uploads in the product catalog management interface. Specifically, an authenticated staff user with Dashboard and Catalog\Manage Products permissions can create a custom product option that includes a file input field. Due to insufficient restrictions on file extensions, the attacker can upload files with a .php extension. This allows the uploaded file to be executed on the server, resulting in remote code execution (RCE). The root cause is reliance on the file name or extension of externally supplied files (CWE-646), which is a common security weakness where the system trusts the file extension to determine file type rather than inspecting the file content or enforcing strict validation. Exploitation requires authenticated access with elevated privileges (staff user with specific permissions) and some user interaction (creating or modifying product options). The CVSS 4.0 score is 8.7 (high), reflecting the network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to the potential for attackers to execute arbitrary PHP code on the server, which can lead to full system compromise, data theft, or disruption of ecommerce operations. The issue is fixed in version 25.9.0 by presumably enforcing stricter validation or disallowing dangerous file extensions for uploads.

For European organizations using MahoCommerce's maho platform, this vulnerability could have severe consequences. Successful exploitation would allow an insider or compromised staff account to execute arbitrary code on the ecommerce server, potentially leading to theft of customer data, payment information, intellectual property, or disruption of online sales. Given the ecommerce context, this could also damage brand reputation and lead to regulatory penalties under GDPR if personal data is exposed. The requirement for authenticated staff access limits the attack surface but insider threats or credential compromise remain realistic risks. Additionally, attackers who gain initial access through other means could escalate privileges by exploiting this vulnerability. The high impact on confidentiality, integrity, and availability means that business continuity and customer trust could be significantly affected. Organizations operating in sectors with high ecommerce reliance, such as retail, manufacturing, or distribution, are particularly vulnerable. The lack of known exploits in the wild suggests a window of opportunity for proactive patching before widespread attacks occur.

European organizations should immediately upgrade MahoCommerce maho to version 25.9.0 or later to remediate this vulnerability. Until patching is possible, implement strict access controls to limit staff permissions only to necessary users and monitor for unusual activity in the Dashboard and Catalog management areas. Employ web application firewalls (WAFs) with rules to detect and block suspicious file uploads, especially those attempting to upload PHP or other executable scripts. Conduct regular audits of uploaded files and remove any unauthorized or suspicious files. Enforce multi-factor authentication (MFA) for staff accounts to reduce risk of credential compromise. Additionally, implement file type validation based on file content (MIME type checking) rather than relying on file extensions. Logging and alerting should be enhanced to detect attempts to create or modify custom options with file inputs. Finally, conduct security awareness training for staff to recognize phishing or social engineering attempts that could lead to account compromise.