A critical unrestricted file upload vulnerability in the Kids Online Store allows remote attackers to gain unauthorized control via web shell execution.

This vulnerability involves the lack of file type restrictions during the upload process. An attacker can exploit this to upload a malicious file, such as a web shell, to the server, allowing for subsequent remote command execution.

With a CVSS score of 9.9, this flaw allows for complete server takeover. Once a web shell is established, an attacker can steal sensitive customer data, modify store content, or pivot into the internal network, causing significant business disruption and legal liability.

Immediate Action: Update the Kids Online Store to the latest version, ensuring that robust file validation and sanitization measures are in place.

Proactive Monitoring: Scan the web server for unauthorized files, particularly in directories where user uploads are permitted, and inspect for anomalous web server behavior.

Compensating Controls: Use file upload restrictions at the application level and ensure the web server is configured to prevent the execution of scripts within upload directories.

Public Exploit Available: False

Organizations should prioritize updating their Kids Online Store installation to version 0.9.0 or higher. Immediate action is required to prevent potential unauthorized access, and administrators should conduct a security review of all uploaded content to ensure no malicious files have been deployed.