Login Sign Up

CVE-2025-10615

6.3 MEDIUM

📋 TL;DR

This vulnerability in itsourcecode E-Commerce Website 1.0 allows attackers to upload arbitrary files to the /admin/products.php endpoint without proper restrictions. This affects all installations of version 1.0 that have the vulnerable file accessible. Remote attackers can exploit this to potentially execute malicious code on the server.

💻 Affected Systems

Products:
  • itsourcecode E-Commerce Website
Versions: 1.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations with /admin/products.php accessible are vulnerable

📦 What is this software?

E Commerce Website by Angeljudesuarez

View all CVEs affecting E Commerce Website →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Webshell upload allowing persistent backdoor access and data exfiltration

🟢

If Mitigated

Limited impact if file uploads are blocked or restricted to specific file types

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication
🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they have network access

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit is publicly available and requires minimal technical skill to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative e-commerce platforms or implementing workarounds.

🔧 Temporary Workarounds

Restrict file uploads

all

Implement strict file type validation and size limits on /admin/products.php

Modify products.php to validate file extensions (e.g., only allow .jpg, .png, .pdf)
Set maximum file size limit in PHP configuration

Disable vulnerable endpoint

all

Temporarily disable or restrict access to /admin/products.php

Add authentication requirement to products.php
Implement IP whitelisting for admin access
Rename or move the vulnerable file

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block malicious file uploads
  • Monitor file upload activity and set alerts for suspicious patterns
  • Isolate the e-commerce server in a DMZ with strict network segmentation

🔍 How to Verify

Check if Vulnerable:

Check if /admin/products.php exists and accepts file uploads without proper validation

Check Version:

Check website footer or configuration files for version information

Verify Fix Applied:

Test file upload functionality with malicious file types to ensure they are rejected

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /admin/products.php
  • Large or unexpected file types being uploaded
  • Multiple failed upload attempts

Network Indicators:

  • POST requests to /admin/products.php with file uploads
  • Unusual outbound connections after file uploads

SIEM Query:

source="web_logs" AND uri="/admin/products.php" AND method="POST" AND size>1000000

📊 Metadata

CVE ID: CVE-2025-10615
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: September 17, 2025
Last Updated: September 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10615, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)