CVE-2025-13423: Critical File Upload Vulnerability Exposes Campcodes Online Store

Overview

CVE-2025-13423 describes a medium severity security vulnerability found in Campcodes Retro Basketball Shoes Online Store version 1.0. This vulnerability allows for unrestricted file uploads via the product_image argument in the /admin/admin_product.php file. A remote attacker can exploit this flaw to upload malicious files, potentially leading to code execution, system compromise, or data breaches.

Technical Details

The vulnerability resides in the /admin/admin_product.php file of the Campcodes Retro Basketball Shoes Online Store 1.0. The application fails to properly validate or sanitize the product_image input, allowing an attacker to upload arbitrary files to the server. By manipulating the file extension or content type, an attacker could upload executable files (e.g., PHP scripts, shell scripts) that, when accessed, could compromise the server.

The vulnerability is triggered by submitting a specially crafted request containing a malicious file via the product_image parameter. Since there are no restrictions on the file type or content, the application accepts the file and stores it on the server.

CVSS Analysis

• CVE ID: CVE-2025-13423
• Severity: MEDIUM
• CVSS Score: 4.7

This CVSS score reflects the potential for remote exploitation and the possibility of significant impact. While the CVSS score indicates medium severity, the impact of successful exploitation could be significant, potentially leading to complete system compromise depending on server configuration and uploaded file contents.

Possible Impact

Exploiting this vulnerability could have serious consequences:

• Remote Code Execution: An attacker could upload and execute malicious code on the server, potentially gaining complete control of the system.
• Web Shell Installation: A web shell could be uploaded, providing a persistent backdoor for future access.
• Data Breach: Sensitive data stored on the server, including customer information and database credentials, could be accessed and stolen.
• Defacement: The website could be defaced, damaging the organization’s reputation.
• Denial of Service (DoS): Malicious files could consume server resources, leading to a denial of service for legitimate users.

Mitigation and Patch Steps

To mitigate this vulnerability, the following steps are recommended:

• Apply the Patch: Check Campcodes’ official website for an updated version of the Retro Basketball Shoes Online Store that addresses this vulnerability. Applying the patch is the most effective way to resolve the issue.
• Implement Strict File Upload Validation: Implement robust file upload validation on the server-side. This should include:
  • File Type Restriction: Only allow specific, safe file types (e.g., images).
  • File Extension Validation: Verify that the file extension matches the allowed file types.
  • Content-Type Verification: Check the Content-Type header of the uploaded file.
  • File Size Limits: Set maximum file size limits to prevent resource exhaustion.
  • File Content Scanning: Use an anti-virus or malware scanner to scan uploaded files for malicious code.
• Sanitize Filenames: Sanitize uploaded filenames to prevent directory traversal attacks and other potential issues.
• Principle of Least Privilege: Ensure the web server process runs with the minimum necessary privileges.
• Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests.

References

• GitHub Issue – CVE Details
• VulDB Entry (Correlation ID)
• VulDB Entry (Vulnerability ID)
• Campcodes Official Website