Description
phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
Published: 2025-09-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via arbitrary file upload
Action: Immediate Mitigation
AI Analysis

Impact

The vulnerability in phpgurukul Online Shopping Portal 2.0 allows arbitrary files to be uploaded to the /admin/insert-product.php endpoint due to missing extension validation. This flaw is classed as CWE-434 and can enable an attacker to upload malicious scripts or other executable files, potentially leading to remote code execution, data theft, or further compromise of the web application.

Affected Systems

The vulnerability affects phpgurukul Online Shopping Portal version 2.0. The admin product insertion page located at /admin/insert-product.php is the specific point of exploitation.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity risk of remote code execution. The EPSS score of < 1% indicates that, at the time of this analysis, the probability of exploitation observed in the wild is low, but the flaw remains critical. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a web‑based POST request to the upload endpoint, typically requiring authenticated admin access or a side‑channel that bypasses authentication. Exploitation would involve crafting a request with a malicious file extension that the system does not filter, thereby allowing the attacker to place a payload that the server will execute.

Generated by OpenCVE AI on April 28, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official vendor update or hotfix that fixes the upload validation issue and deploy it without delay.
  • Implement strict server‑side file type validation by enforcing a whitelist of allowed extensions (e.g., .jpg, .png, .pdf) and verify MIME types before accepting uploads.
  • Store uploaded files in a directory that has no execute permissions, rename files to random names, and configure the web server to prevent execution of uploaded content.

Generated by OpenCVE AI on April 28, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26521 phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Sep 2025 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:online_shopping_portal:2.0:*:*:*:*:*:*:*

Wed, 03 Sep 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul online Shopping Portal
Vendors & Products Phpgurukul
Phpgurukul online Shopping Portal

Wed, 03 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description phpgurukul Online Shopping Portal 2.0 is vulnerable to Arbitrary File Upload in /admin/insert-product.php, due to the lack of extension validation.
References

Subscriptions

Phpgurukul Online Shopping Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T14:07:56.817Z

Reserved: 2025-08-17T00:00:00.000Z

Link: CVE-2025-57148

cve-icon Vulnrichment

Updated: 2025-09-03T17:30:02.362Z

cve-icon NVD

Status : Modified

Published: 2025-09-03T15:15:38.717

Modified: 2026-04-06T15:17:06.043

Link: CVE-2025-57148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:30:15Z

Weaknesses