Overview
A critical security vulnerability, identified as CVE-2025-66572, has been discovered in Loaded Commerce version 6.6. This vulnerability is a client-side template injection (CSTI) flaw that allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability is triggered through the search parameter, making exploitation relatively straightforward.
Technical Details
Loaded Commerce 6.6 is susceptible to client-side template injection due to insufficient sanitization of user-supplied input within the search functionality. An attacker can inject malicious code into the search parameter, which, when processed by the server-side templating engine, results in code execution. Specifically, the unauthenticated attacker can inject template language commands that the server will then execute. The exact template engine used is not explicitly identified in the provided sources, but successful exploitation indicates it’s vulnerable to command execution. The Exploit-DB entry (52084) likely contains specific payload examples.
The vulnerability lies in how the application handles the search query. User input isn’t properly escaped or sanitized before being passed to the template engine. This allows an attacker to inject template directives, leading to arbitrary code execution on the server.
CVSS Analysis
Due to the limited information available, including the CVSS score and severity, a proper CVSS analysis cannot be provided. However, based on the description, this vulnerability is likely to have a Critical severity rating if the attacker has the ability to execute arbitrary code on the server without authentication. We strongly recommend patching your Loaded Commerce installation immediately.
Possible Impact
The potential impact of CVE-2025-66572 is significant:
- Remote Code Execution (RCE): An attacker can execute arbitrary code on the server, potentially gaining full control.
- Data Breach: Sensitive data, including customer information and payment details, could be compromised.
- Website Defacement: The attacker could deface the website, damaging its reputation.
- Denial of Service (DoS): The attacker could crash the server, making the website unavailable to legitimate users.
Mitigation and Patch Steps
To mitigate this vulnerability, apply the following steps:
- Upgrade Loaded Commerce: Check the official Loaded Commerce website for a patched version (6.7 or later) that addresses CVE-2025-66572 and upgrade immediately.
- Input Sanitization: Implement robust input sanitization and validation on the
searchparameter to prevent template injection. Ensure that all user-supplied input is properly escaped before being processed by the template engine. - Web Application Firewall (WAF): Deploy a WAF with rules to detect and block template injection attempts. Configure the WAF to specifically protect against malicious payloads targeting the search functionality.
- Monitor System Logs: Monitor system logs for suspicious activity that may indicate exploitation attempts. Pay close attention to logs related to the search functionality.
If a patch is not yet available, consider temporarily disabling the search functionality or implementing strict input validation rules as a short-term workaround. However, upgrading to a patched version is the preferred and most secure solution.
References
- Loaded Commerce Official Website: https://loadedcommerce.com/
- Exploit-DB: https://www.exploit-db.com/exploits/52084
- VulnCheck Advisory: https://www.vulncheck.com/advisories/loaded-commerce-66-client-side-template-injectioncsti
