A critical path traversal vulnerability in Shopizer enables remote attackers to write arbitrary files to the server, resulting in potential remote code execution.

The /content/images/add endpoint lacks sufficient path sanitization. An attacker can submit a crafted POST request to bypass directory restrictions and write files to unintended locations.

With a CVSS score of 10.0, this vulnerability is of the highest urgency. Successful exploitation allows an attacker to write malicious payloads, such as webshells, to the server. This can lead to complete system takeover, unauthorized access to customer databases, and significant reputational harm.

Immediate Action: Patch or upgrade Shopizer to the latest version immediately to resolve the path traversal vulnerability.

Proactive Monitoring: Monitor server logs for POST requests to the image upload endpoint that contain path traversal patterns (e.g., ../).

Compensating Controls: Use a WAF to inspect and block incoming HTTP requests containing directory traversal sequences directed at the image upload endpoint.

Public Exploit Available: Unknown

This vulnerability requires immediate intervention. Security teams must ensure that all instances of Shopizer are updated and that file system integrity is verified to ensure no unauthorized files have been planted.