CVE-2025-13411: Critical File Upload Flaw in Campcodes Retro Basketball Shoes Online Store 1.0

Overview

CVE-2025-13411 is a medium severity vulnerability discovered in Campcodes Retro Basketball Shoes Online Store version 1.0. This vulnerability allows for unrestricted file uploads through the /admin/admin_football.php script. An attacker can exploit this flaw remotely, potentially leading to arbitrary code execution on the server. The exploit is publicly available, increasing the risk of exploitation.

Technical Details

The vulnerability resides in the way the application handles the product_image argument within the /admin/admin_football.php file. Insufficient validation and sanitization of the uploaded file’s type and content allow an attacker to upload malicious files, such as PHP scripts or other executable files. Because there are no restrictions enforced on the file types or contents, it bypasses security mechanisms that would otherwise prevent such uploads.

Specifically, an attacker could craft a malicious request to /admin/admin_football.php, embedding a PHP script within an image file or using a disguised file extension. Once uploaded, this file can be accessed and executed, allowing the attacker to gain control over the server or perform other malicious activities.

CVSS Analysis

• CVSS Score: 4.7 (Medium)

This CVSS score indicates a medium severity vulnerability. The base score considers the attack complexity, the privileges required to exploit the vulnerability, and the potential impact on confidentiality, integrity, and availability. While the impact might not be immediately critical, the public availability of the exploit makes it significantly more dangerous, hence, the urgency to apply mitigation steps.

Possible Impact

Successful exploitation of CVE-2025-13411 could have several significant consequences:

• Remote Code Execution (RCE): An attacker could execute arbitrary code on the server, potentially taking complete control of the system.
• Website Defacement: The attacker could modify the website’s content, causing reputational damage.
• Data Breach: Sensitive data stored on the server, such as customer information or database credentials, could be compromised.
• Malware Distribution: The compromised server could be used to host and distribute malware to visitors.

Mitigation or Patch Steps

To mitigate this vulnerability, the following steps are recommended:

1. Apply the Patch (if available): Check the Campcodes website for a patch or updated version of the Retro Basketball Shoes Online Store that addresses this vulnerability. Apply the update immediately.
2. Input Validation and Sanitization: Implement strict input validation and sanitization on the product_image argument in /admin/admin_football.php. Verify that the uploaded file type matches the expected type (e.g., only allow image files like JPG, PNG, or GIF).
3. File Extension Filtering: Implement a whitelist of allowed file extensions and reject any files with extensions not on the list.
4. Content Verification: Perform content verification to ensure that the uploaded file actually matches the declared file type. For example, check the file’s magic bytes to verify that it is a valid image.
5. File Storage Security: Store uploaded files outside the web root directory. This prevents direct access to the files from the web browser and reduces the risk of code execution. If this is not possible, configure the web server to prevent execution of scripts in the upload directory.
6. Web Application Firewall (WAF): Consider using a Web Application Firewall (WAF) to detect and block malicious requests targeting this vulnerability.

References

• GitHub Issue: CVE-2025-13411 Exploit
• VulDB: CVE-2025-13411 Entry (CTI)
• VulDB: CVE-2025-13411 Entry
• Campcodes Official Website