GHSA-vgmm-27fc-vmgp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vgmm-27fc-vmgp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vgmm-27fc-vmgp/GHSA-vgmm-27fc-vmgp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-vgmm-27fc-vmgp
- Aliases
- Related
- Published
- 2025-09-09T20:52:24Z
- Modified
- 2025-09-09T21:12:18.916308Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
- Details
-
Summary
In Maho 25.7.0, an authenticated staff user with access to the
DashboardandCatalog\Manage Productspermissions can create a custom option on a listing with a file input field. By allowing file uploads with a.phpextension, the user can use the filed to upload malicious PHP files, gaining remote code executionDetails
An user with the
DashboardandCatalog\Manage Productspermissions can abuse the product custom options feature to bypass the application’s file upload restrictions.When creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application’s normal enforced whitelist and permits disallowed extensions, including
.php.The file uploaded by the custom option is then written to a predictable location:
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.phpBecause this path is directly accessible under the application’s webroot, an attacker can then request the uploaded file via HTTP, causing the server to execute the PHP payload.
PoC
- Sign in to the
/admindashboard as a staff user. Ensure the user's role has access to theDashboardandCatalog\Manage Productspermissions. Navigate to a product catalog listing, for example by clicking on a product linked within the
Most Viewed Productstab on the dashboard. <img width="648" height="194" alt="image" src="https://github.com/user-attachments/assets/1ab69182-68ea-48e4-b50b-46ccf70f40bb" />Navigate to the "Custom Options" tab on the product, and create a custom option with a file upload field. Add
.phpas an allowed extension to the file upload configuration. Save the configuration after making the changes. <img width="836" height="391" alt="image" src="https://github.com/user-attachments/assets/5abe7d80-c16d-4b54-9a19-799bda1bcc34" />In a private window, navigate to the customer facing page for the product, and upload a reverse shell PHP file through the newly configured option. Then click "Add to cart" to complete the upload. <img width="473" height="286" alt="image" src="https://github.com/user-attachments/assets/326ce37e-026a-4211-8e95-6f5f310727df" />
Calculate the location of the uploaded file on the web server as
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php- Navigate to the above path directly to execute the file contents and trigger the reverse shell. <img width="910" height="339" alt="image" src="https://github.com/user-attachments/assets/e0e52607-81d5-4dc2-8550-ef324182f889" />
Impact
This vulnerability allows remote code execution (RCE) on the server. It requires only the Catalog\Manage Products permission, and does not need full administrative access. By leveraging the custom option upload feature, an attacker can bypass the application’s normal file upload protections and execute arbitrary PHP code within the webroot.
Suggested Remediation
Enforce a whitelist of allowed extensions a user is allowed to configure for file upload fields in Custom Options.
- Sign in to the
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-09-08T22:15:34Z", "github_reviewed_at": "2025-09-09T20:52:24Z", "cwe_ids": [ "CWE-646" ], "severity": "HIGH" }- References
Affected packages
Packagist / mahocommerce/maho
Package
- Name
- mahocommerce/maho
- Purl
- pkg:composer/mahocommerce/maho