A critical vulnerability exists in the Themify Shopo product that allows an unauthenticated attacker to upload a malicious file, known as a web shell, to the web server. Successful exploitation of this vulnerability could result in a complete compromise of the server, allowing the attacker to steal data, deface the website, or use the server for further malicious activities. Due to the critical severity and ease of exploitation, immediate remediation is strongly recommended.

The vulnerability is an "Unrestricted Upload of File with Dangerous Type." The application fails to properly validate the types of files being uploaded by users. An attacker can bypass the file type restrictions and upload an executable script (e.g., a PHP web shell) disguised as a legitimate file, such as an image. Once the malicious file is on the server, the attacker can navigate to it via its URL, causing the server to execute the script and grant the attacker remote command execution capabilities.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the potential for severe business impact. An attacker who successfully exploits this flaw can gain full control over the affected web server. Potential consequences include theft of sensitive data (customer information, payment details, intellectual property), website defacement causing reputational damage, service disruption, and the use of the compromised server to launch further attacks against other systems or distribute malware.

Immediate Action: Immediately update the Themify Shopo product to a version higher than 1.1.4, as recommended by the vendor. After patching, it is crucial to review web server logs for any signs of exploitation that may have occurred prior to the update and to inspect the server for any unknown or malicious files.

Proactive Monitoring: Monitor web server access and error logs for suspicious upload attempts or requests to non-standard file types (e.g., .php, .phtml, .aspx) in upload directories. Implement file integrity monitoring (FIM) to detect the creation of unauthorized files in web-accessible folders. Watch for unusual outbound network traffic from the web server, which could indicate a web shell communicating with an attacker's command-and-control server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use a Web Application Firewall (WAF) with rules configured to block the upload of suspicious file types.
• Disable script execution permissions on the directory where files are uploaded.
• If the file upload functionality is not essential to business operations, temporarily disable it until the patch can be applied.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the potential for complete system compromise, this vulnerability poses a significant and immediate threat to the organization. We strongly recommend that the vendor-supplied patch be applied on all affected systems as a top priority. While this CVE is not yet on the CISA KEV list, its high severity warrants an emergency change and deployment. Organizations should also implement the suggested compensating controls to provide defense-in-depth and reduce the risk of compromise if patching is delayed.